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Preface 


Overview 


This manual tells you how to operate the Sniffer network analyzer. It covers all 
current models and all networks on which the Sniffer analyzer runs. 


This isn’t the installation guide. There’s a separate installation guide for every 
model of the Sniffer network analyzer. If you’re connecting the analyzer for the 
first time, you really should read its installation guide. 


How this Manual is Organized 
Chapter 1 is an overview of the Sniffer network analyzer. 


Chapters 2—5 describe the analyzer’s operations. Chapter 2 (Capturing Frames) 
and Chapter 5 (Displaying and Interpreting Frames) contain most of the material. 


Chapters 3 contains brief descriptions of the Ethernet cable tester and the ARCNET 
token timer. Chapter 4 describes the traffic generator. 


Chapter 6 summarizes two methods for operating the Sniffer analyzer from a 
remote computer, and refers you to their separate manuals. 


Chapter 7 is mainly addressed to specialists and tinkerers. It describes the Sniffer 
analyzer’s use of external files and their organization into directories. It also 
describes the internal formats used for files, and the startup parameters that affect 
the analyzer’s operation 


Chapter 8 describes the Sniffer Configuration Utility. You will need it only if you 
have many protocol interpreters and wish to omit some of them in alternate 
versions of the Sniffer analyzer. 


Chapter 9 is for everybody. It contains a brief list of simple points to check before 
you call Technical Support. 


To help find the topics you want, there is an extensive index. 


Three Ways to Use this Manual 


1. Don’t. You operate the Sniffer network analyzer from menus. The first menu is 
automatically displayed when you turn on power. Each item in every menu has a 
one line description, and you can get more general on-line help at any time by 
pressing the F1 key. Many people apparently use the Sniffer network analyzer 
quite successfully without ever studying the manual. 


2. Browse and skim. Chapter 1 is an overview of the Sniffer network analyzer’s 
functions and capabilities. Read it straight through once to get an impression of the 
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many things the analyzer can do. Skim the other chapters to get an idea of what's 
in them and where you'll find more information when you need it. 


Consult. While you’ re using the Sniffer network analyzer, keep this manual 
nearby. When there’s something particular you want to do or know, skim the table 
of contents for a relevant heading, or look for the topic in the index. 


Sources of Information 


General: 


Sniffer network analyzers and monitors exist in many different versions. Each is 
characterized by: 


The platform on which it runs: that is, the particular make and model of computer 
in which the Sniffer software and network adapter card are installed. This manual 
covers the series 300, 500, and 700. 


The network —or networks— to which the analyzer can be attached and for which 
it has the necessary interface cards and software. This manual covers the Sniffer 
analyzers for WAN/synchronous communications, token ring (16 and 4 Mbps), 
Ethernet, StarLAN, ARCNET, LocalTalk and PC Network Broadband. 


The protocol interpreter suite —or suites— that the Sniffer software uses to decode 
network protocols. This manual does not document the protocol interpreter suites. 
It refers in passing to examples taken from suites for I]BM®, Novell®, XNS™, 
TCP/IP, Sun®, ISO, DECnet®, Nestar PLAN, Banyan® VINES™, AppleTalk®, X 
Windows™, and X.25. 


The sources of information about the Sniffer analyzer reflect this variation. With 
your analyzer, you get two kinds of documentation: 


Documentation common to all Sniffer Analyzers. This includes: 


Sniffer Network Analyzer Operations Manual. (That's the manual you're 
reading now.) Many aspects of the Sniffer analyzer’s operation are essentially 
the same regardless of platform, network, or protocol. This “core” manual also 
describes a few features that exist only for particular models, networks, or 
interpreters. Wherever the manual mentions such a feature, it also indicates the 
network or platform to which the information applies. 


Sniffer Advanced Network Monitor User's Manual. This manual tells you how 
to run the Sniffer monitor modules. 


Sniffer Network and Protocol Reference. This manual contains background 
information about networks and protocols relevant to working with the Sniffer 
analyzer, instructions for building custom interpreters for your own protocol 
suites, and a glossary of technical terms related to networks and protocols. 


TeleSniffer Installation and Operations Manual. This manual describes how to 
operate the Sniffer analyzer remotely, by linking an IBM PC or compatible to 
the analyzer either directly or by a modem and phone line. 


SniffMaster I Installation and Operations Manual. This manual tells you how 
to run any number of remote Sniffer analyzers, each as a separate process, ona 
Sun workstation under Unix™. 
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Specific: Installation Guide. There is a separate installation guide for each of the platforms 
sold by Network General Corporation (NGC). Each manual contains instructions 
for setting up the machine and for connecting it to each network. 


Protocol Interpreter Specification Sheets. Network General supplies a separate 
specification sheet for each protocol interpreter suite. 


Platform Specification Sheets. Network General supplies a separate 
specification sheet for each platform on which the Sniffer Network Analyzer 
runs. 


Network Specification Sheets. Network General supplies a separate 
specification sheet for each network for which it sells a version of the Sniffer 
network analyzer. 


On-line Help 


The Sniffer software includes two levels of help files. Every menu item has its own 
context-sensitive brief help. As you move through the menu, a small panel at the 
bottom of the screen shows a phrase or sentence to elaborate the item currently 
highlighted. 


More general help is available at any time by pressing F1. That brings up a menu 
of topics. When you highlight a particular topic and press Enter, the analyzer 
opens a scrollable panel containing several small pages of discussion, each with its 
own heading. Pressing PgDn or PgUp takes you the following or preceding page; 
End takes you to the last page and Home returns you to the first page; Esc returns 
you to the list of help topics. 


Help displayed in this manner isn’t a substitute for the full manual, but does 
provide a readily available source of reminders. 


Demonstration 


Network General Corporation distributes a demonstration package for the Sniffer 
analyzer. The demo package can run on almost any IBM PC or compatible with a 
minimum of 640KB main memory. 


The demonstration programs give an impression of the Sniffer analyzer’s 
capabilities, especially the way the analyzer displays captured data. However, 
because the demonstration programs use older versions of the software, they don’t 
include some of the Sniffer analyzer’s newer features. The demo programs 
interpret frames provided in special data files that are supplied with them as part 
of the demonstration. The demo programs cannot be connected to a live network 
and cannot accept other data files, such as those captured by a real Sniffer analyzer 
or those included in the analyzer’s directory called SAMPLES (described below). 


You can obtain the demonstration package free of charge from any of the 
company’s marketing representatives or directly from Network General 
Corporation. 
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Tutorial 


Network General Corporation distributes a booklet with accompanying diskette 
entitled Real Networks. Real Problems. It presents case studies based on data 
captured with a Sniffer analyzer from four different networks. The diskette permits 
the reader with an IBM PC or compatible to reproduce the screens that someone 
with a Sniffer analyzer would see as investigation of a network problem proceeds. 


You can obtain the tutorial free of charge from any of the company’s marketing 
representatives or directly from Network General Corporation. 


Sample Files of Captured Frames 


The Sniffer analyzer’s hard disk contains a set of sample trace files (files of 
captured frames). They contain frames captured from the network (or networks) 
for which your particular Sniffer analyzer is equipped. The analyzer can capture or 
display data from these trace files. Some of the figures in this manual are taken 
from the samples. 


To familiarize yourself with your analyzer’s operations, try replaying some of the 
sample files as if the analyzer were capturing data from a network. Once you've 
captured frames in that way, you can display them just as you would display 
frames captured from your own network. 
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Chapter 1: Overview—What the Sniffer Analyzer Does 


Chapter Overview 


Monitoring 


Analysis 


The Sniffer analyzer attaches to a network to monitor, record, analyze, and 
interpret network transmissions. 


Monitoring and analysis are separate activities. Both are run entirely from menus. 
There is no command language and no commands to learn. Typically, the only 
information you ever need to type is the name of a file you want saved or the 
details of a transmission you want the analyzer to find. 


Monitoring presents a real-time summary of certain aspects of network activity, for 
example a continuously-updated chart by protocol. The Sniffer Network Monitor 
operates independently from the rest of the Sniffer network analyzer. At any 
particular time you run one or the other but not both at once. The Sniffer Network 
Monitor is described in a separate manual entitled Sniffer Advanced Network 
Monitor User's Manual. 


Analysis depends not just on noting traffic as it goes by, but recording it for 
detailed examination and interpretation later. This manual is principally concerned 
with operation of the Sniffer Network Analyzer. Models of the analyzer are at 
present available for eight networks: Ethernet, token ring (at both 16 and 4 Mbps), 
ARCNET, StarLAN, PC Network (broadband), LocalTalk, and wide-area 
synchronous links. 


Analyzing the activity of a network can be divided into two broad phases: capture 
and display. In the first phase, you capture arriving frames and store them ina 
buffer. While this is going on, the analyzer keeps updating its real-time displays of 
the network’s activity. In the second phase, you interpret the frames you have 
captured earlier, and display them in a variety of formats. 


Schematic View of the Flow of Frames 


Figure 1-1 (next page) represents the route frames follow as they move from the 
network to the network interface card, from there through filters and triggers to 
the capture buffer, and from there to the interpreters and displays. You may want 
to turn back to the figure as you read descriptions of these functions in the sections 
that follow. 
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Figure 1-1. Schematic view of the flow of frames in the Sniffer Network Analyzer. 
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Networks— Local and Wide Area 


The Sniffer analyzer can be attached to a local area network (a LAN) or to a 
synchronous line such as those used to link one LAN to another, or to link a remote 
station to a central host. On either type of network, in almost all its operations the 
analyzer is passive!. 


Synchronous pike, 
Serial Link 
Gateway 
To LAN 


Network Analyzer 


Figure 1-2. Ona wide area synchronous link, the Sniffer analyzer is a passive listener. 


When a Sniffer analyzer is attached to a local area network, it becomes a station on 
the network like any other. However, it’s role is still passive. It “hears” the traffic 
sent from all stations. Although every station physically receives every 
transmission, ordinarily each ignores all messages except those addressed to it. The 
Sniffer analyzer not only hears all transmissions but can also analyze or record 
them, regardless of how they’re addressed. 
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Figure 1-3. On most LANs, the Sniffer analyzer is a station like the others, but “hears” all. 


Interpretation 


The Sniffer analyzer takes what would otherwise be a dense and meaningless 
stream of bits and translates it into readable English. It dissects each transmission 
(called a frame or packet) into its component layers. Then it decodes each layer 
according to its protocol—the rules of format and syntax that govern its encoding. 
For a quick summary view, the analyzer can show you just the highest layer of 
each frame’s interpretation. Or, if you request, it can show you all layers from 


On networks other than LocalTalk or WAN/Synchronous, the analyzer can on request transmit repeated test 
frames. On the token ring, every station must participate in forwarding all traffic from its upstream neighbor to its 
downstream neighbor; the Sniffer analyzer does that in the same way as other stations. 
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lowest to highest. For each layer, the interpreter can show a succinct one-line 
summary, or a detailed translation of the important fields and parameters. 


Symbolic Names for Addresses 


To make its displays easier to read, the interpreter augments the binary codes that 
in fact identify sender, receiver, or routing with symbolic entries from a name table. 
Thus, when a frame’s high-level destination is 00100100001101010000000011000011, 
rather than showing the address as 24 35 00 C3 or even [36.53.0.195], the analyzer 
lets you see it as “Janet’s Workstation” or whatever makes sense to you. When the 
analyzer has no name for a station, it displays the name of the manufacturer and the 
unique address that the manufacturer assigns to that station. 


SUMMARY—Delta T—DST SRC 

56 0.0014 Kate +BIZ-ONE DLC 802.2 size=38 bytes 

| XHS NetWare Reply ¥=204 C=45 T=0 
| NCP R OK 


57 ~=0.0009 BIZ-ONE «Kate DLC 802.2 size=44 bytes 
XNS NetWare Request N=205 C=45 T 


SS ae 
Packet type = 17 (Novell NetWare) 


Source net = = 


HEY. ASCII 
0000 02 07 01 03 2E CA 02 60 8C OA OA 09 00 Q6 FF FF ....... "a abe a 
| 0040 00 26 00 14 (IIMS 02 07 01 03 2E CA 40 03 ee @. 
0020 00 00 00 01 0U 00 00 00 OO FY 04 51 33 33 CC QD ........... Q33. - 
| 0030: 00 G0'00' 0G 00 2003-59 OA 05 8806 = 8 caesar Wises 
Frame 56 of 7151 
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Figure 1-4. Sample display of a captured frame. In this example, all three views are visible: 
summary, detail, and hex. 


Traffic Density Displays 


While it “listens” to network traffic, the analyzer accumulates statistics. As frames 
arrive, it displays real-time graphs of traffic density, or updates a table that counts 
messages by source and destination. 
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Figure 1-5. Skyline view of traffic density at one-second intervals. 
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Capturing Traffic 


The analyzer scrutinizes the traffic it hears and records the frames that pass 
various filters. Recorded frames may be saved to a file for analysis later, or 
immediately displayed, filtered, and interpreted. 
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Filters 
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Figure 1-6. A five-second sample of traffic tabulated by source and destination pairs. 


The number of frames reaching the adapter is potentially so large that it’s often 
essential to select only a subset for storage. Saving them all would take far too 
much space. Before you start capture, you can set filters so that the analyzer saves 
only frames that meet certain criteria. The analyzer applies a filter to each newly- 
arrived frame and discards all frames that do not meet its test. 


Capture filters may be any combination of the following types. In each case, the 
filter can be set to save frames that do meet the test or that do not meet the test. 


Selection by station address. The Sniffer analyzer accepts frames sent to or from 
particular addresses that you specify. 


Selection by destination class. The Sniffer analyzer accepts frames that have 
specific destinations, rather than frames addressed to a group (for example, 
broadcast). 


Selection by unknown address. The Sniffer analyzer accepts frames sent from or to 


an “unknown” station— that is, a station not included in the table of names for 
stations. 


Selection by protocol. The Sniffer analyzer accepts frames that contain any of the 
low-level protocols you specify. (During capture, to maintain speed, filtering is 
restricted to the lower levels. During display, you can set filters for higher level 
protocols embedded within the frames. ) 
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* Selection by pattern. The Sniffer analyzer accepts frames that contain a specified 
pattern. A pattern can be constructed as some logical combination of up to eight 
component patterns. Each of the component patterns is described by a particular 
sequence of bits or characters at specified positions. For example, a filter might 
accept only frames that pass between a particular user and server and involve a 
particular error code in a particular protocol. 


Filtering and Searching During Display 


During display, you can use filters to select frames from the capture buffer. They’re 
called display filters; they work in much the same way as capture filters. However, 
they can also respond to criteria that are not feasible during capture. For example, 
they can choose to display only frames that contain a particular high-level protocol 
or high-level address. 


Filtering permits you to suppress traffic that’s irrelevant to your concern, and to 
limit the display to frames involved in a particular transaction. With the obscuring 
bulk cleared away and the remaining frames concisely interpreted, it becomes easy 
to trace interactions between stations. You can see normal patterns at a glance, and 
readily identify suspicious exceptions. 


It’s also possible to search through the captured frames for those that contain 
particular items. This feature not only permits you to search for a particular 
address or pattern of data, but also for text that the Sniffer analyzer uses in the 
interpretation. Thus, you can search for names, values, or phrases. Frequently, the 
text you search for is implied by codes contained in the frame, but present as 
characters only in the Sniffer analyzer’s interpretation. 


The Sniffer Analyzer’s Hardware and Software 


Each Sniffer system has a network interface card (abbreviated NIC). The NIC is 
specific to a particular model of computer and to the physical characteristics and 
low-level protocols of a particular network. When the Sniffer analyzer is used on a 
synchronous line, the interface card is equipped to receive (and pass through) both 
sides of the two-way traffic. When the Sniffer analyzer is used with a LAN, the 
interface card resembles the card used by any other station. However, the Sniffer 
analyzer’s NIC responds to any frame, not just those addressed to it. 


In some models of the Sniffer analyzer, it is possible to mount more than one 
interface card. The model 500 has space for two interface cards. Such an analyzer is 
ready to connect to either of the networks represented by the NICs installed— 
although only to “sniff” on one at a time. 


|| General || 
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Self-Contained vs. Board Models 


The Sniffer network analyzer is sold in either of two formats: 


A self-contained system. It has all the necessary hardware and software already 
installed in a portable computer. Such a system need only be connected to a power 
supply and to the network, and it is ready for use. A self-contained Sniffer analyzer 
is identified by a model number that starts with the letters PA. 


A modular board system. It consists of the network interface card (or cards) and 
the software, to be installed from a set of diskettes. A modular system is identified 
by a model number that starts with MS. After you’ve purchased a modular Sniffer 
analyzer, you install the software and the interface card yourself in your own 
computer. Modular systems are at present available only for the Compaq Portable 
386. Once you have installed the module, you have a machine identical in 
operation and performance to the corresponding self-contained machine. 
Instructions for assembling a modular system are contained in Sniffer Network 
Analyzer Series 500 Installation Guide. 


Configuring Network and Interpreter Combinations 


Each Sniffer analyzer’s software is individually compiled at the factory to match 
the network and protocol interpreters you have ordered. There is a separate 
executable file for each network your machine supports. Each executable file is 
serialized to match the address of its interface card. Select the network you want 
from the analyzer’s main selection menu (Figure 1-7). The items in the menu 
match the network cards and software actually installed. 
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The Sniffer Network Analyzer 


(C) Copyright 1986-1990, Network General Corporation 


Main selection menu 


Ethernet Monitor Internal plasma display 
Ethernet Analyzer External color monitor 
Etnernet Analyzer External LCD projector 
Token Ring 16/4 Analyzer Return to DOS 
TeleSniffer System shutdown 


Snifffaster I Remote Analyzer 
Configuration Utility 


Suites: TCP/IP, SUN, ISO 


Use arrow keys to select, then press Enter. 


Figure 1-7. Main selection menu on an analyzer equipped with two network interface 
cards, and two Ethernet analyzers (with different protocol interpreter suites). 


Each executable file automatically includes interpreters for the protocols at the 
network’s lowest levels, usually at the level of data link control (DLC). To interpret 
higher-level protocols, you must order one or more of the protocol interpreter suites. 
Each suite provides interpretation for a set of protocols commonly found together 
on a network. For example, there’s a suite for the TCP/IP family and another for 
the ISO family, each containing more than a dozen protocols. If your network runs 
ISO over TCP/IP, you would need both suites. 


If you have a large number of interpreters for the same network, but a platform 
with an inherently limited address space, your machine may not have enough 
addressable memory to run all of your interpreter suites in the same executable 
file. This affects only certain models and certain combinations of large interpreters. 
If your particular analyzer does not have enough memory to link all the 
interpreters you have ordered, NGC provides for several alternate versions of the 
executable file. Each of the alternates contains some reasonable combination of 
interpreters, but none contains all of them. That’s why Ethernet analyzer appears 
twice in Figure 1-7 . 


When your software is built, the factory automatically divides your protocol 
interpreter suites among alternate versions of the Sniffer analyzer. However, if 
you'd prefer a different combination of interpreters, you can generate an 
executable file yourself using the Sniffer configuration utility. Network General 
Corporation provides the configuration utility automatically but only on machines 
that might need it. If you have a machine that requires a configuration utility, 
you'll see that it appears as one of the choices in the main selection menu. The 
configuration utility is described in Chapter 8. 
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Local and Remote Operations 


Each Sniffer analyzer has its own full-function keyboard. When you control the 
analyzer locally, you do so from its keyboard, primarily by selecting items from 
menus. For most operations, you can do everything with the cursor-movement 

keys (the four arrows), the Spacebar, the function keys, and the Return key. 


You can also run the Sniffer analyzer remotely from another computer. The 
analyzer’s serial port transmits a copy of the analyzer’s screen to the remote 
controller, and receives keystrokes from it. There are at present two ways to 
operate the Sniffer analyzer remotely: 


SniffMaster. The controlling device is a process running in a window on the screen 
of a Sun® workstation under Unix®. Information from the analyzer’s serial port can 
be routed to a terminal server and from there to the controlling workstation by 
way of the network on which the workstation is located. The workstation can run 
any number of such processes, provided each has a route to a Sniffer analyzer. 


LAN on which 
the controlling workstation 
is located 


LAN 


being Terminal 
observed server 
| 
Asynchronous i 
seria 
f = 
—{ |- Workstation process 
Network Analyzer acting as remote controller 


Figure 1-8. Sun workstation acting as remote controller to a Sniffer analyzer. 


If you have a Sniffer analyzer and suitable workstation, SniffMaster I is a software 
product available for purchase from Network General Corporation. Its installation 
and operation are described in the publication SniffMaster I Installation and 
Operations Manual. 


TeleSniffer. The controlling device is a PC. Information from the analyzer’s serial 
port is routed to the serial port of the controlling PC, either by a direct cable link or 
through a communications line with modems at the two ends. While it is acting as 
controller for a Sniffer analyzer, the PC is dedicated to that task. 


Asynchronous 


erial Link | 


PC acting as 
Network Analyzer remote controller 


Figure 1-9. IBM PC or compatible acting as remote controller to a Sniffer analyzer. 
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TeleSniffer also provides a means by which Network General’s support staff could 
—with your permission and assistance— connect one of their PCs to your Sniffer 
analyzer. In the event you are experiencing a problem that hasn't been otherwise 
resolved, someone from the NGC support staff could connect to your machine to 
examine its operation. 


Software to make the Sniffer analyzer accept remote control and software to run 
the controlling PC is included with every Sniffer analyzer. Installation and 
operation of TeleSniffer are described in a the publication TeleSniffer Operations 
Manual. 


Traffic Generator and Cable Test 


On Ethernet, token ring, ARCNET, StarLAN and PC Network, the Sniffer analyzer 
is capable of transmitting the same message repeatedly in rapid succession. Since 
the stations ona LAN share a common medium of transmission, transmitting 
dummy traffic can simulate the effect of various kinds of load while you examine 
the performance of the remaining network stations. 


Depending on the network to which it is attached, the analyzer may be able to 
perform certain tests. It can test for cable faults on Ethernet, or measure the 
circulation time of the ARCNET token. 


Effect on Other Stations 


How does the Sniffer analyzer affect other stations on the network? The Sniffer 
analyzer keeps a low profile. 


Passive listener. The Sniffer analyzer reports all network traffic without adding 
anything to it. On the token ring, every station must repeat each frame it receives, 
forwarding everything from its upstream neighbor to the station downstream from 
it. The analyzer forwards frames in the same way as any other station. 


Cooperative player. On most LANs, the analyzer is enrolled as a station like any 
other. When it transmits, it obeys the standard rules for avoiding collisions. On a 
network that uses token-passing to convey the right to transmit (ARCNET or token 
ring) the analyzer passes the token in the same way as other stations. 


Even when generating test transmissions, each analyzer still obeys the network’s 
usual constraints. On a network that depends on collision sensing, avoidance and 
detection, the Sniffer analyzer waits for the standard interval of silence before 
transmitting, and backs off from a collision in the same way as other stations. Ona 
token-passing network, for each transmission the analyzer waits until it again has 
the token. 


Semi-invisible listener on the token ring. On a token ring network, each station is 
ordinarily expected to respond to a poll acknowledging that it is a stand-by monitor. 
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The token ring analyzer does not reply to this poll.1 Periodically it sends a frame 
to the functional address “LAN Manager” announcing “trace tool present.” Apart 
from that, it plays no other role. In particular, the analyzer never acts either as 
stand-by monitor or as active monitor. It passes through all traffic unchanged, so 
that (except for its “trace tool present” announcements) it is invisible to other 
stations. If a station playing the role of LAN Manager objects to the presence of an 
analyzer, the objecting station may broadcast a special frame that forces the 
analyzer’s NIC to drop out of the ring immediately. 


Because the Sniffer analyzer does not participate in ring maintenance, it is able to 
operate even on a ring that is beaconing. That’s important when a cable fault or a 
failure at one of the stations has halted the ring’s normal circulation. 


Sources of Capture— Live vs. Recorded 


Before the Sniffer analyzer can provide detailed interpretation or analysis, it must 
obtain a sample of network traffic. There are two ways to do this: live or recorded. 


* Live capture;. The Sniffer analyzer’s network interface card detects all traffic, and 
passes it to the analyzer’s CPU. Frames that pass the capture filter are stored in the 
capture buffer for subsequent display or analysis. As frames arrive, the analyzer 
updates its real-time display of traffic density.; 


* Capture from a previously recorded file. Instead of capturing from the network, the 
analyzer can read from a file of saved frames. Such a file is created by saving the 
contents of the capture buffer. By capturing from a file, you can “replay” a capture 
that took place at an earlier time. For example, you can replay capture of the 
sample files distributed with the Sniffer analyzer. (They're stored in the directory 
\CAPTURE\SAMPLES.) Since a file of captured frames includes a timestamp for 
each frame, the replayed capture reproduces not only the data but also the timing 
of each frame’s arrival. 


When you're capturing from a previously recorded file, you can set capture filters 
just as you would for live capture, accepting into the capture buffer only those 
frames that pass the filter. Capturing from a file is a way to gain experience in 
operating the analyzer or setting its capture filters. You can replay recorded 
captures when the network is not active or when the analyzer is not actually 
connected to the network.2 


1 Earlier models of the token ring Sniffer, operating only at 4 Mbps, were not quite so passive. They responded to the 


poll for a stand-by monitor, and, if need be, could become the ring’s active monitor. 


2 However, the Sniffer software requires the matching network interface card, and can’t run unless it is installed. 
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Displays During Capture 


While it is capturing frames, the Sniffer analyzer is able to tabulate and meter the 
frames it is capturing. There are much more extensive monitoring capabilities in 
the Sniffer Network Monitor. However, the Sniffer Network Monitor doesn’t save 
frames for later analysis and doesn’t interpret their protocols. When your interest 
is primarily monitoring (and you’re attached to a network for which monitoring is 
available), you may find it preferable to run the Network Monitor rather than the 
Network Analyzer. You start the monitor from the main selection menu (see 
Figure 1-7, page 11). Monitor operations are described in the publication Sniffer 
Network Monitor Installation and Operations Manual. 


What follows describes the more limited facilities for metering and tabulation that 
accompany the capture phase of the Sniffer Network Analyzer. 


Before you start capture, select the type of display the Sniffer analyzer will be 
generating while frames arrive. The choices are: 


* Graphic. “Skyline” displays of traffic density over time. 
* Tabular. Source or source-and-destination counts in various formats. 


* Neither, during highspeed capture. During a burst of dense traffic, frames may 
arrive faster than your analyzer can process them.The time to process frames 
depends on many factors, including the complexity of the capture filters you 
use, and your particular combination of platform and network. The lost frames 
counter shows how many frames your analyzer has seen but was unable to 
record. On some networks, to minimize the number of frames lost, you can 
select highspeed capture. The analyzer then gives full attention to arriving 
traffic. It omits the tabular or graphic display, and it doesn’t filter the arriving 
frames. 


Count of frames seen. Regardless of these settings, the analyzer always shows the 
total labeled frames seen. This figure includes all frames, regardless of whether the 
capture filters accepted them. 


Real-Time Displays of Network Traffic 


While the Sniffer analyzer is capturing, it measures the rate at which frames are 
arriving and gives you a real-time graphic display in one of several forms. All 
displays include a traffic density bar graph, a count of frames seen, and an elapsed 
time counter. 


* Traffic density bar graph. This looks like a thermometer running sideways across 
the lower part of the screen. On a LAN, there’s a single bar for total traffic. Ona 
synchronous link, there’s one bar for traffic from DTE and another for traffic from 
DCE. The bars show traffic density in kilobytes per second, frames per second, or 
(on a LAN) as a percentage of the available bandwidth. 
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* Traffic statistics. Just above the traffic density bar, the Sniffer analyzer shows 
certain statistics in one or two rows, depending on the network. These show the 
gross number of frames seen, and the number of kilobytes and frames that the 
filters have accepted. 


* Audible clicks. Unless you reject this option, the analyzer emits a small clicking 
sound for each frame that passes the capture filter. The pattern of clicks gives a 
useful auditory clue to the density of traffic. 


Traffic Meters and “Skylines” 


Except when you're using highspeed capture, there are two ways the Sniffer 
analyzer can display ongoing activity while it is capturing: meters or skylines. 
Before you start to capture, select the type of display you want to see during 
capture. 


Meters. The metering display gives you an array of counters that are updated in 
real time, as frames arrive. What the meters tabulate depends on the type of 
network. 


On a synchronous link , counts are subtotaled by type of frame and also by higher- 
level address (logical call number). There are separate counts for traffic from DTE 
and from DCE. 


OnaLAN, the traffic is subtotaled by station, either individually by source, or 
pairwise by source and destination. Figure 1-6, page 8, shows a tabulation by 
source and destination. Where every station has a one-byte local address 
(ARCNET and LocalTalk), you can have the tabulation by source arranged in a 
16x16 table; this compact display assures space for every possible address. 


Histograms (“Skylines”). A skyline is a continuously-updated histogram (see 
Figure 1-5, page 7). A new column is added at the right once every second, minute, 
or hour, depending on the time scale you select. 


The display shows two or more histograms, one above another. The self-contained 
portable analyzer has room for only two histograms; a larger external screen 
permits more. On a synchronous link, the display shows histograms for traffic 
from DTE and from DCE. Ona LAN, one shows traffic density (frames or kilobytes 
per second) and a second the number of stations that are active (have transmitted 
during the time interval). Where there’s room for additional skylines, they may 
show both number of frames and number of bytes, or totals for broadcasts or 
errors, depending on the network. 


The Capture Buffer 


After they've been counted or graphed, frames that pass the capture filter are 
examined by the trigger detector. It stops capture when it detects a patterns you've 
asked for; it’s described in the next section. After they’ve been scanned by the 
trigger detector, frames pass to the capture buffer. The capture buffer’s size varies 
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with the platform and the protocol interpreters installed. The capacity ranges from 
a few thousand medium-sized frames, up to many thousands. Where space is at a 
premium or frames are long, you can save space by truncating frames that exceed a 


given length. 


Frames accumulate in the buffer in the order they are received. When the capture 
buffer becomes full, the Sniffer analyzer can halt capture or it can discard older 
frames to make way for new arrivals. 


The Trigger-Detector Scans Arriving Frames for a Pattern 


The trigger detector scans the stream of incoming frames. Frames go to the trigger 
detector after they've passed the capture filters but before they go to the capture 
buffer. (See Figure 1-1, page 4). 


The trigger detector scans each frame, looking for one that contains a particular 
combination of patterns you've described. When it finds the trigger pattern, it 
stops capture. You can examine the frames in the buffer to see what has happened. 
Either the trigger detector stops capture immediately or it stops after a delay that 
you specify. The delay permits the analyzer to collect frames that follow the trigger 
event, as well as frames that precede it. 


Specifying the Trigger Pattern 
A trigger pattern is some combination of bits, bytes or characters at various 
positions in a frame. A trigger can be constructed as a logical combination of up to 
eight component patterns, each described by a particular sequence at specified 
positions. 
To illustrate use of a trigger pattern, suppose it appears that there are intermittent 
difficulties with access to a file server. A filter could restrict capture to frames to or 
from the server. A trigger pattern could be set to halt capture when a frame from 
the server contains an error code in a protocol related to file transfer. When the 


analyzer reports such a frame, you have both a record of the error report and of the 
request that led to it. 


Displaying and Interpreting Frames 
Once capture has stopped, you can: 
* Copy the contents of the capture buffer to a file for later analysis or display. 
* Filter the display, so you see only those frames that meet certain criteria. 
* View the frames through one or more views, each with a particular style of display. 


* Browse through the frames in the capture buffer. 
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* Print the contents of the buffer, according to the filters and views you've specified. 


You have many options for displaying the contents of the capture buffer, either on 
the Sniffer analyzer’s screen or in a printed report. (You can direct output either to 
a locally-attached printer or to a file on one of the Sniffer analyzer’s disk drives.) 


You can set up a display filter so that frames that don’t interest you are omitted 
from the display (even though they remain in the capture buffer). The mechanism 
for filtering frames from the display is like the mechanism for filtering frames 
during capture. 


Saving the Capture Buffer 


From the keyboard, you can select a command that saves the contents of the 
capture buffer to a file. You can save the entire capture buffer or just the frames 
that are accepted by your current display filter. 


All displays and analyses work with the frames that are in the capture buffer. You 
can display newly captured frames or frames that you load into the capture buffer 
from a file you saved earlier. 


Display Filters 


Display filters work in much the same way as capture filters. However, because 
display filters don’t have to work under time-pressure, they can also examine 
higher-level protocols and higher-level addressing. The list of protocols is longer in 
the display filters menu than in the capture filters menu. For display filters, the 
list includes all the protocols that your protocol interpreter suites can recognize. 


Higher-level Addresses. In addition to the DLC source and destination addresses, a 
frame may also contain other, higher-level addresses. In the address level filter, 
you check the /evel that must be included in the frame’s addressing. 


For example, on a LocalTalk network, every frame has a DLC address. Some 
frames also have an address in an AppleTalk protocol. In the address level filter, if 
you put a check mark beside DLC, the filter accepts every frame, since every frame 
has a DLC address. But if you check ATALK but not DLC, the filter accepts only 
those frames that contain an AppleTalk address. 


In the summary view, the analyzer shows each frame’s address at the highest of 
the levels you checked. 


Selecting the Form of Display 
The display may contain any combination of the following three views : 


* Detail view. Each frame is decoded to show the type of frame and the protocols it 
contains. For high-level frames, the interpretation may require several levels, one 
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for each protocol the frame contains. For each protocol, the detail view names the 
principal fields and interprets the values of each. 


For each address in each protocol, the detail view shows both the numeric code 
actually transmitted and a symbolic equivalent. You can edit the address table to 
insert your own names, or import names from an external file. 


Summary view. This condensed form abbreviates and truncates some of the 
information from the detail view. 


All-level vs. highest-level-only display. You can elect to display a one-line 
summary of each protocol within a frame, or to show only the highest level. 


Hexadecimal view. The entire frame is listed, except for user data that may be 
suppressed from unauthorized viewing. You can elect to have character data 
displayed according to ASCII or EBCDIC conventions. 


The hexadecimal view and the detail view show data for just one frame. The 
summary view shows not only the frame you are examining but a few on either 
side of it as well for context. 


Layers in the OSI model. The interpreter labels and decodes the standard fields in 
each frame, making it easy to see the message conveyed. When you have an 
external color monitor, each layer is shown in a distinctive color. Color coding 
applies in all three views, summary, detail, and hex. 


Coordination of views. When you open two or more views at once, the Sniffer 
analyzer coordinates highlighting in the various views. The detail view’s 
interpretation is automatically scrolled to match the level you've highlighted in the 
summary view. When both the detail and hex views are open, moving the 
highlight in the detail view causes a corresponding highlight in the hex view, so 
you can see which parts of the hex display correspond to the interpreted detail. 


Two-Station Format. Frequently, analysis concerns the flow of commands 
between a pair of stations. Two-station format is a variant form of the summary 
view. Frames from the first station are summarized on the left side of the screen, 
and frames from the second station are summarized on the right. That way, it’s 
easy to distinguish the two sides of a conversation. (If you also accept frames from 
other stations, they remain in the normal full-width format.) 


Views and Viewports 


Each view you select appears in its own rectangle within the Sniffer screen. The 
screen may be tiled as two, three, four, or six equal-sized rectangles, according to 
the number of views and viewports you request. 


Two viewports. Sometimes it’s important to compare a frame from one part of the 
capture buffer with a frame that arrived earlier or later. You can do that by electing 
two viewports. That splits the screen into left and right halves. You can scroll the 
two sides independently, permitting you to display one frame on the left and 
another on the right. 
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Scroll. When a frame’s display doesn’t fit within its window, you can scroll the 
active window both vertically and horizontally until the part you want is in view. 


Zoom. You can temporarily assign one view to the entire Sniffer display. To do 
that, press F4, labeled zoom. The active view gets the entire display area until you 
again press F4 to “zoom out,” thereby restoring the other views. 


Protocol Interpreter Suites 


The Sniffer doesn’t just capture and store frames from the network. It also 
interprets them. When you select the detail view, you get a set of interpretations 
for each frame, one interpretation for each level of protocol that the frame contains. 
Interpretation of the lowest-level protocols is provided automatically when you 
specify the network on which your Sniffer analyzer runs. Optional protocol 
interpreter suites interpret higher-level protocols. Each suite provides interpretation 
of several protocols likely to occur together. Figure 1-10 shows a list of the protocol 
interpreter suites available when this manual was printed. Network General 
frequently adds new protocol suites, or enhances existing suites to include 
additional protocols. If you don’t see the protocol you want, you should ask 
Network General or its agents whether it has been added. 


Custom interpreters. If your network transmits frames containing protocols 
unknown to the Sniffer analyzer’s interpreters, it’s possible to augment Network 
General’s interpreter suites with “custom” interpreters of your own. To write an 
interpreter, you'll need familiarity with the protocol, with the network’s DLC and 
LLC conventions, and with the C programming language. Directions for writing a 
custom interpreter are included in the publication Network and Protocol Reference 
Manual. 
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Suite | Name Protocols 
1301 | IBM SNA; SMB; RPL; NetBIOS; LLC; 
Network Management (SAP F4). 
1302 | Novell NCP; SAP; NETBIOS; XNS; SPX; IPX; RIP 
NetWare 
1303 | XNS XNS; SPP; PEP; RIP; NBP; Echo; Error 


1304 | TCP/IP NetBIOS; FTP; Telnet; SMTP; RUNIX; DNS; TCP; CMOT; 
| SNMP; UDP; GGP; ICMP; LLC; ARP; RARP; SNAP; TRLR; RIP 


pany 
Ww 
oO 
o 
Wn 
cq 
=} 


| ND; NFS; YP; PMAP; MOUNT; RPC. 
1306 | ISO | ETAM; VTP; ACSE; ISO Presentation; ISO Session; NetNIOS; 
TP; SMB; CLNS; ES-IS Routing; LLC; ISODE; CMOT; SNMP; 
ASN.1 


1307 | DECnet DAP; NICE; SMB; CTERM; FOUND; SCP; NSP; DRP; MOP; 


LAT. 
— — 
1308 | Nestar Nestar FS and IOB commands; SMB; XNS; SPP; IDP; FRP; 
LLC. 
1309 | asin StreetTalk; MAIL; SMB; Matchmaker; IPC; SPP; RTP; ARP; 
VINES ICP; IP; FRP; LLC. 
att 


1310 | AppleTalk | AFP; PAP; TOPS; ASP; ADSP; NBP; ATP; RTMP; ZIP; Echo; 
KSP; AARP; DDP; SNAP; LLC; LAP. 


1311 X Windows] X Windows. 


1312 t X.25 X.25, X.29. 


Figure 1-10. Protocol Interpreter Suites. 


Names and Name Tables 


A name table pairs a numeric network address with an arbitrary name. When the 
Sniffer analyzer identifies a station, it can substitute the name in the table for the 
numeric code that was actually transmitted. 


The first time you display frames after a new capture, the analyzer checks through 
all the frames in the capture buffer and adds to its working copy of the name table 
any DLC addresses that are not yet in it. You can edit the working table to provide 
symbolic equivalents for the addresses that lack them. You can also save the 
working name table and reuse it during subsequent captures or displays. 


After you have provided symbolic equivalents, the analyzer uses them not only in 
displays but also during subsequent capture sessions. The Sniffer Network 
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Monitor shares tables with the the Sniffer Network Analyzer, so that they both 
benefit from additions to the name table. 


Resolving names from other tables. The manage names menu contains an 
instruction to resolve names. When you select that option, the analyzer searches a 
saved name table to find equivalents for unnamed addresses in the analyzer’s 
working name table. 


Searching for names. In some network protocols (for example, NetBIOS, AppleTalk 
or Novell NetWare), stations may declare names for themselves. The Sniffer 
analyzer is able to search the capture buffer for frames that contain names and use 
the names it finds to fill blanks in the working name table. 


Saving and Restoring Setups 


The Sniffer network analyzer offers a rich choice of options concerning both 
capture and display. To simplify work at subsequent sessions, you can name and 
store a record of the options you've selected. That's called a setup file. At a 
subsequent session, you have only to load a previously-saved setup, and all the 
settings it contains are restored. 


Network-Specific Testing 


The Sniffer analyzer uses characteristics of certain networks to provide additional 
information about them. When you purchase an analyzer for one of these 
networks, the additional facility is automatically included and appears in the 
menus. 


Cable Tester (Ethernet) 


On request, the cable tester emits a pulse and measures the time until it hears an 
echo. It notes the occurrence of the echo produced by reflection from a short or an 
open cable. The Sniffer analyzer displays the result. It shows whether a suspicious 
echo was detected, and, if so, the actual delay. It converts the the time into an 
estimated distance along the cable. 


Token Timer (ARCNET) 


ARCNET stations are physically located on a bus to which all have access. 
However, transmission priority is controlled by a token. The token circulates in a 
ring sequence. On request, the Sniffer analyzer measures and displays the interval 
between the moment it transmits the free token until it again receives the free 
token. This provides an estimate of the amount of time a station will have to wait 
for the token after it is ready to transmit. 
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The Sniffer Analyzer’s Modes of Operation 


Menu-Driven Controls 


As soon as you turn the machine on, the installed Sniffer software automatically 
begins executing. It displays the initial selection menu. From there, you may elect 
to run the Sniffer Network Analyzer or the Sniffer Network Monitor. You may 
choose various other settings or utilities. 


Menus control all of the Sniffer analyzer’s functions . Move the cursor to the one 
you want and press Enter or Spacebar to register your choice. Or press one of the 
function keys, always labeled on screen to show its effect. Most actions require 
only that you move the cursor and press a key. A few actions cause the analyzer to 
open a dialog box in which you supply details (for example, a search pattern, the 
name of a file, and so on). 


The Selection Menu 


Whenever you start the Sniffer Analyzer, you are taken automatically to the main 
selection menu. You can see an example in Figure 1-11. The selection menu lists 
the major choices open to you. (The items in the menu depend on the networks 
and protocol interpreter suites installed on your machine.) 


tm 
The Sniffer Network Analyzer 


(C) Copyright 1986-1990, Network General Corporation 


Main selection menu 


Ethernet Monitor Internal plasma display 
Ethernet Analyzer External color monitor 
Token Ring 16/4 Analyzer External LCD projector 
Syncnronous wan Analyzer Return to DOS 
TeleSniffer System shutdown 


SniffMaster I Remote Analyzer 
Configuration Utility 


s 


uites: IBM, TCP/IP, XWindows, X.25. 


Use arrow keys to select, then press Enter. 


Figure 1-11. Sample of the Sniffer Analyzer’s main selection menu. 


ey ae 


Sniffer Network Analyzer Operations Manual 


One of the menu’s entries is highlighted (that is, shown in reverse video). The 
lower portion of the window contains a brief explanation of the highlighted entry. 
Pressing one of the cursor keys moves the highlight to another entry. To execute 
the entry that’s highlighted, press Enter. There is a menu item saying “analyzer” 
for each set of analyzer software. A machine always has at least one set of analyzer 
software, but may have more, to handle different networks or different 
combinations of protocol interpreters. 


Some entries are always present in the main selection menu. For example, the 
menu always includes the options return to DOS or system shutdown. Other 
options are present only when the relevant software has been installed. For 
example, you see the choice configuration utility only when the configuration 
utility has been installed. The possible selections and the actions they perform are 
listed in Figure 1-12. 
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Selection 


Action 


xxx Monitor 


Passes control to the Sniffer Network Monitor’s main menu. 
For details, see the manual Sniffer Network Monitor Installation 
and Reference Manual. 


xxx Analyzer 


Starts the Sniffer Network Analyzer. The lower window 
shows the selected analyzer’s protocol suites. Control passes 
to the analyzer’s main menu. 


TeleSniffer 


Passes control to the TeleSniffer menu. You can choose to be 
“host” (permit the analyzer to be controlled by a remote PC), 
or “remote” (make it the controlling PC). 


Configuration 
Utility 


Passes control to the Configuration Utility (see Chapter 8). It 
permits you to build (or delete) a version of the Sniffer 
analyzer software with a subset of the protocol interpreters 
you've purchased. This item appears only when a machine 
has so many protocol interpreters that it may be necessary to 
group subsets in alternate versions of the analyzer software. 


SniffMaster I 
Remote Analyzer 


On machines with SniffMaster I, passes control to the 
SniffMaster menu. It permits you to install and run the 
memory-resident program that accepts instructions from the 
SniffMaster I control module via the serial port. There are also 
options to configure or remove SniffMaster I. 


Internal display 


Directs display to the built-in screen only. 


External color 


Directs display to the external color monitor; enables color- 


monitor coding by OSI level. 
External LCD Directs display to the external LCD projector; selects 
projector 


1 attributes appropriately (disabling brightness or color). 


Note: On the series 300, attributes of the external display also affect the 
built-in display (but may be less-than-optimal for it). On the series 500 
and 700, activating an external display turns off the internal display. 


[ 


Return to DOS 


Exits from the menu. The analyzer is now a standard DOS 
machine. To re-enter the menu, type menu. 


System shutdown 


Parks the heads of the analyzer’s hard drive in preparation for 
moving the machine. Ordinarily, you then turn off power. 


Figure 1-12. Effect of items in the main selection menu. 
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TeleSniffer selection menu 


Configure Host Configure Remote 
tart Host Start Remote 


Return to Main Menu 


Set up Sniffer Analyzer at LAN being 
monitored. 
Use arrow keys to select, then press Enter. 


Figure 1-13. Sub-menu to configure or start TeleSniffer. 


Color Displays 


Each Sniffer analyzer has a port that may be connected to an external display. This 
port can be used to connect the analyzer to an external color monitor or a 
(monochrome) LCD display for use with an overhead projector. 


When the analyzer’s displays are shown in color, there’s a greater range of 
highlighting. In a frame display with multiple protocol layers, each layer has its 
own color. Where possible, each protocol is identified with one of the seven OSI 
levels. 


The type of color adapter supported depends upon the platform and network card; 
for details, consult the installation guide for the platform of interest. 


Using an External LCD Projector 


The Sniffer analyzer’s display can be routed to an LCD display such as the Kodak 
DataShow™. This device has a transparent screen that makes characters appear 
opaque. When it is placed on the view stage of a standard overhead projector, the 
projected image has black characters on a white background. 


To use an LCD projector, connect it to the port that would otherwise support an 
external color monitor. DataShow comes in a standard model that accepts the same 
signal as a CGA monitor, and a higher-resolution model that accepts the same 
signal as a VGA monitor. However, since the LCD display has just two levels of 
illumination, black and white, with neither color nor brightness distinctions, it isn’t 
appropriate to send it a normal color signal. To optimize the display for an LCD, 
select External LCD display in the selection menu. The Sniffer software modifies 
the display to preserve legibility and still show which fields are highlighted, but 
loses other distinctions. 


Tree-Structured Menus 


The Sniffer analyzer is entirely controlled from menus. When at the main selection 
menu you choose to run an analyzer, control passes immediately to the main 
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menu of the Sniffer analyzer. An example (for an Ethernet analyzer) is shown in 
Figure 1-14. 


Network 
General Cable Tester 4 Destination class 
F Traffic Generator #] Station address 


Capture filters Protocol 
Ethernet Sniffer rigger Pattern match 


Network Analyzer Capture 
Version 3.00 Display / Good frames 
Files / Bad CRC frames 
(C) Copyright Options v Fragments 
1986 - 1990 Exit / Bad alignment 


Set up filters for frames to be captured. 


=———=[se the arrow keys to move around in the menu 


cat 
Help capture 


Figure 1-14. First panel of the Sniffer analyzer’s main menu. 


All Sniffer menus have the same structure. While details vary according to the 
network and protocol interpreter suites installed, the organization is the same. The 
entire menu is a tree, with its root (the main menu) to the left and its branches and 
leaves to the right. Only a part of the menu is visible at a time. By using the cursor 
keys, you can move a window over the menu. Since the window is fixed on the 
screen, the menu appears to move under the stationary window. 


When the menu is active, the screen shows three panels side-by-side. You control 
the center panel. Within that center panel, the center row is highlighted. That is 
your location on the menu. When you first start the Sniffer analyzer, the center 
panel lists the alternatives available from the root of the tree. Some alternatives 
appear above the highlight, some below it. Initially, the highlight is on capture. 


When you press the Cursor Up key, the item above Capture becomes highlighted. 
We speak of “moving the highlight up” to the next item. The highlight doesn’t 
really move; instead, the entire center panel scrolls downward so that the 
(stationary) highlight is now on the row above. Alternatively, to jump directly up 
or down to a particular item, you may type the first letter of its name. 


The panel to the right shows choices in the sub-menu that goes with the item 
highlighted in the center panel. As soon as you bring a different item to the center 
highlight, the entire right panel changes. The right panel always shows the sub- 
menu that goes with the item that’s highlighted in the center (see Figure 1-15). 
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Toward root menus ACTIVE Toward leaf menus 
(How we menu (where we could 
got here) @gii|| Panel |||Im go from here) 


LOOP Etype 
IP Etype © 


fete | ARP Etype 
| oe al___| If Cable Tester Destination class }} TRLR Etype _ 
7 - Traffic Generator |] Station address PUP Etype 
Sthernet Snifter Capture filters Protocol Other Etype 
i. Trigger Pattern match SNAP SAP 
coe Capture Good frames — 
*\ Copyright Display Bad CRC frames 
%- 100A Files Fragments 
Exit Bad alignment 


Tersi on 3. 00 


Highlight remains at screen center, 
while the menu scrolls under it 


Figure 1-15. Diagram to illustrate scrolling over the tree-structured menu 


To select one of the options in the right panel, press the Cursor Right key. It’s as if 
you move rightward from the center of the screen. The highlight doesn’t really 
move. Instead, the entire menu moves leftward under the highlight panel. The 
panel that was to the right now moves to the center. The panel that was in the 
center now moves to the left. The panel that was at the left vanishes, as though it 
moved out of sight beyond the left edge of the screen. 


When the item now in the center has options associated with it, they appear in the 
right panel. Sub-menus seem to move in from beyond the screen’s right edge. 
When the item in the center has no options , the right panel is blank. 


The four cursor keys permit you to traverse the entire menu tree. Your current 
selection always appears at the center of the center panel, with other choices at the 
same level above and below it. The right panel shows the sub-menus (if there are 
any), and the left panel shows the menu nearer the root (or the Network General 
logo when you're at the root). 


Menu Conventions 


Options: 


The menus contain two kinds of items: actions and options. First you set options; 
then you start an action involving them. 


An option specifies how an action will work when it starts at some future time. 
Examples of options: 


Choosing protocols to be included in the filters that decide whether to accept a 
frame. 
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Actions: 


Setting a logarithmic scale for the traffic-density bar graph. 


Determining whether frames are displayed with the highest-level protocol 
only. 


There are two kinds of options. A checklist is a list of items. Puta ¥ beside each 
that you want, an X beside those you don’t want. You can check as many or as few 
as needed. A radio control is a list of mutually exclusive options (so called because, 
like a push-button radio, selecting one deselects the others). A radio control has a 
vertical bar beside it, and an arrowhead at the selected item, thus: 


» Selected item 
deselected iten 


To change an option: position the highlight on the option you want, and press 
Spacebar. On a radio control, that moves the arrowhead to the highlighted item. 
On a checklist, pressing Spacebar changes v to X (or X to Y). Holding down the 
Alt key while pressing Spacebar reverses the setting of all items on the list. 


When you press the key for an action, something starts to happen For example, the 
action capture causes the Sniffer analyzer to start capturing traffic according to the 
capture options you previously set. The action display causes the Sniffer analyzer 
to start displaying frames in the capture buffer according to the display options 
you previously set. 


To start an action: position the highlight on the action you want and press Enter. 
An action that can be started by pressing Enter always has € beside it. 


(Network 29 


D) 
= 


” 
qd 
= 
© 
—_ 
Le 


Capturi 


2 


Chapter 2. Monitoring Traffic and Capturing Frames 


Chapter Overview 


This chapter describes the process of capturing frames. It also describes the 
displays you can generate as capture proceeds. 


During capture, the Sniffer analyzer “listens” to all frames, filters them to select 
frames to record, and stores the selected frames in its capture buffer. When capture 
is complete, you can then analyze, interpret, and display the captured frames (see 
Chapter 5, Display and Interpreting Frames). 


Capture Monitoring vs. Non-Capture Monitoring 


While it is capturing, the analyzer is able at the same time to do a certain amount 
of monitoring. Monitoring gives you a variety of displays that summarize the 
network’s traffic. The monitoring displays are continually updated in real time. 
The most complete facilities for monitoring are provided in a separate module 
called the Sniffer Network Monitor. It devotes full attention to monitoring and 
doesn’t save frames. Thus, to get maximum monitoring but no capture, you should 
run the separate monitoring module, described in Sniffer Network Monitor 
Installation and Operations Manual. 


Two-Phase Capture Monitoring 
To analyze and interpret network frames, you must first capture them. Since the 


capture mechanism has some built-in monitoring, the process of capture has two 
phases: the capture itself, and the monitoring that goes on as capture proceeds 
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Capturing Each accepted frame is stored in the capture buffer. You can store 
an entire frame or truncate it after a certain length. 


If you keep on capturing after the buffer fills, earlier frames are 
discarded to make room for later ones. 


When capture is terminated, you can display and analyze the 
frames in the buffer. That’s when filtering and decoding of 
higher-level protocols takes place. You can also store the contents 
of the capture buffer in a disk file, and subsequently analyze it, or 
play it back as though it were being captured again. 


Monitoring + Skyline: A graph showing traffic density over time; or 
durin 
Canes * Counters: A table of counters, perhaps by logical call and type 


(on a synchronous WAN) or by source or source and 
destination (on a LAN). 


During capture (with either display), you may elect to have 
audible clicks announcing frames as they are stored in the buffer. 


Before you start capture, you specify the frames you want the analyzer to retain in 
the capture buffer and the displays you want to see while frames are being 
captured. 


Outline of Steps to Capture Frames 


Step 1. 


This section provides an overview of the optional steps that you might want to 
take before starting to capture frames. The steps are described in greater detail in 
the sections that follow. 


For each step, you may indicate what you want, or (by inaction) accept what is 
already established. “Established” may mean either 


The Sniffer analyzer’s default setup, or 


The settings you have restored by loading a previously-saved setup file. 
Loading a setup file restores all the settings the way they were at the time the 
setup file was saved. Procedures to save and load a setup file are described in 
Chapter 5, starting at page 145. 


When you're collecting data to look at a specific problem, set up a capture filter 
and a trigger before you start capturing. But when you're just checking the 
network’s traffic load, or you've loaded a setup specifying everything you want, or 
you're happy with the defaults, you can probably go straight to step 6. 


Check that options are correctly set; 
Miscellaneous options affect the analyzer’s operation. They’re set in a menu 


entitled options. Most of the items are specific to a particular network or platform. 
Review the ones that apply to you (see page 38). 
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Step 2. Capture filters menu; 


* Set your filters—or accept the filters in your default setup. Capture filters tell the 
Sniffer analyzer which frames to retain for analysis and which to ignore. Capture 
filters are primarily useful on a LAN; on a WAN’s synchronous link, there are 
fewer options for filtering during capture. 


Regardless of whether you capture live from the network or by playing back a 
saved file, arriving frames go first to the capture filter. Only those that are accepted 
by the capture filter proceed to the capture buffer. For more details, see Setting the 
Capture Filters, starting on page 41. 


A capture filter can be based on the presence or absence of any of the following: 


* Unknown address (LAN). This filter retains or discards a frame depending on 
whether its DLC source or destination is unknown. The Sniffer analyzer 
considers an address to be “unknown” when it isn’t in the working name table, 
or is in the table but without a symbolic equivalent. To edit the name table, see 
page 138. 


Destination class (LAN). This filter retains or discards a frame depending on 
whether its address is specific or general. A non-specific address might be a 
broadcast notice or inquiry. On some networks (for example, token ring) a 
frame may be destined to a functional address, a role that may played by one or 
more stations. 


Station address (LAN). This filter retains or discards a frame depending on its 
address. You can specify up to four DLC address pairs. For each address, you 
can specify whether the filter applies to its use as source, as destination, or 
either. 


* Protocol (LAN). This filter retains or discards a frame depending on whether it 
contains any of various protocols. However, the Sniffer analyzer has time to 
identify only the lower levels of protocol. A list of the protocols it can check 
during capture appears in the protocol panel to the right of capture filters. Put 
a check mark beside each protocol you want to include in the filter. 


* Direction (WAN/Synchronous). The filter retains frames from DTE or from 
DCE or both. 


* Pattern match (Both LAN and WAN/ Synchronous). This filter retains or 
discards a frame depending on whether it contains a particular pattern of data. 
The pattern is built from a logical combination of up to eight component 
patterns. Each component pattern is a specific sequence of bits, bytes or 
characters at a specific location. 


* The presence or absence of certain defects (Both LAN and WAN). This filter 
retains or discards a frame depending on whether it contains a particular type 
of error. You can filter for defects only where the network adapter passes 
defective frames to the Sniffer analyzer. Filters for defects are possible on the 
networks listed at the left and center of Figure 2-1. 
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Step 3. 


Ethernet Token Ring 
WAN/Synchronous StarLAN ARCNET 
PC Network Local Talk 
Filters for: Filters for: | No filtering for defects. 
Good frames (The network adapter 
Bad CRC - Bad CRC card discards defective 
frames before they reach 
Fragments the analyzer) 
Bad alignment 


Figure 2-1. Availability of filters for defective frames, by network. 


Combined effect of filters. When you set several filters, the frames that get through 
are those that successfully pass all the filters. (You can think of each filter as 
weeding out frames that it finds unacceptable, and pass those that remain to the 
next filter.) 


Trigger menu 


Set the trigger—or accept its default settings. The trigger event signals the Sniffer 
analyzer to stop capturing. Once capturing stops, you can start analyzing what's in 
the capture buffer. Setting the trigger has three parts: 


External trigger. Tell the analyzer to listen for an external event (a signal from 
the COM port) as the trigger event, or to send a signal to that port when the 
trigger event is observed. 


Pattern-match trigger. Like a pattern in the capture filter, the trigger pattern 
may be built from a logical combination of up to eight component patterns. 
The first frame to match the combined pattern is a trigger event. 


Set the stopping point. You can specify that capture stops immediately when 
the trigger criteria are met, or somewhat later. If you don’t stop capture 
immediately, the buffer contains some frames that arrived after the trigger 
frame. For details, see Setting the Trigger, starting on page 57. 


If the analyzer fills the capture buffer without seeing a trigger frame, what 
happens? You can have the analyzer stop capturing when the buffer is full, or 
keep on capturing, discarding earlier frames as new ones arrive. The default is 
to continue. For details, see Stopping Capture and Positioning the Trigger Frame in 
the Capture Buffer, starting on page 59. 


Step 4. Display menu 


Edit the name table—or accept the working name table as it is. When you 
interpret the address of a logical call, or tabulate traffic by source or by source and 
destination, the analyzer labels the display using names from the name table 
wherever they’re available. If you don’t know in advance what station names are 
likely to appear, you can capture first, assign names after that, and then start a new 
capture, or replay the capture of frames saved earlier. For details of the name table, 
see Managing Names in Displays, starting on page 136. 
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Step 5. 


The name table also affects the unknown station filter; a station is considered 
“unknown” if its address is not in the name table at all, or is present but without a 
symbolic equivalent. 


Capture menu 


Connect the Sniffer analyzer to a source of traffic—or accept the default. The 
connection is indicated by From <XXXXX> in the capture menu. The source may be 
either a “live” network to which your Sniffer analyzer is appropriately cabled or a 
file of previously recorded data that you play back to simulate live collection. 


Select the frame size—or accept the default. The default is to record the entire 
frame. Optionally, you can have the Sniffer analyzer truncate each frame that 
exceeds a limit you select from a menu of sizes. 


Select the type and format of tabulation. This tells the Sniffer analyzer how to 
display running totals of frames as they arrive. For details, see page 61. You can 
elect one of the following: 


- Units. To specify the units the Sniffer analyzer uses to report traffic totals, you 
may select from: Frames seen, Kilobytes seen, or Network utilization. 


Scale. The bar graph of current and maximum traffic density is displayed on 
either a logarithmic (default) or a linear horizontal scale. 


- Monitoring Display. You can choose between one of several types of display 
during capture. The alternatives depend on the network. The broad choice is 
between a display of counters or a display of histograms called skylines. 


» Counters. The analyzer continuously updates counters for various aspects of 
the traffic. Because of the different contexts, the categories counted depend on 
whether the analyzer is connected to a synchronous line or to a LAN (see 
Figure 2-2). 


Skylines The analyzer adds a new bar to a histogram depicting total activity 
during the last interval. You can have the analyzer update the skyline at the 
end of each second, minute, or hour. 


When the histograms bars fill the screen, the earliest bars disappear from view 
off the left edge of the screen, but you can bring them back by scrolling the 
display horizontally with the Cursor Right or Cursor Left keys. 
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Step 6. 


Counters on a Synchronous Link | Counters ona Local Area Network 


No choice required. Counters | You select one of the following mutually- 


automatically provides: exclusive alternatives: 

Totals by HDLC type - Pair counts. The analyzer lists each pair of 

(separately for DTE and stations and keeps a running total of traffic 

DCE) in each direction between each pair. 

Totals by SNA or X.25 type | + Individual counts. The analyzer lists each 

(separately for DTE and source station and keeps a running total of 

DCE) the traffic from each. 

Scrollable list of logical + Matrix. The analyzer shows running totals by 

calls, with total traffic in source, arranged without labels ina 16x16 

each direction for each. matrix. This is possible only on networks 
that use one-byte DLC addresses (ARCNET 
and LocalTalk). 


Figure 2-2. Counters on a WAN synchronous link and ona LAN. 


Highspeed mode. With some combinations of network, platform and interface card, 
heavy bursts of traffic may arrive faster than the analyzer can handle all of their 
frames. To minimize the risk of losing frames, on Ethernet, StarLAN, and PC 
Network you have an option called highspeed capture (see page 66). 


Start capture! 


Once you've completed the preliminaries —or skipped them, accepting the 
defaults—you’re ready to start capture. To begin, press F10 (labeled New 
Capture). Alternatively, move the highlight to Capture and press Enter. 


On Ethernet models, the Sniffer analyzer automatically runs a cable test the first 
time it starts to capture from the network. (The cable tester is described in Chapter 
3, starting on page 79.). When it detects a cable fault, the analyzer displays the 
message There appears to be a cable or transceiver fault and halts. Otherwise, it 
proceeds with capture. 


Displays generated during capture are described later in this chapter (starting at 
page 66). 


Verify Options for Your Network or Machine 


Options are tucked away at the bottom of the main menu. You probably won’t 
need them often. Depending on the network, a few items are essential before you 
first connect the Sniffer analyzer. 
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Audible Clicks Option on All Analyzers 


When the clicks option is enabled, the Sniffer analyzer emits a small click with the 
arrival of each frame during capture. This gives you an audible impression of 
changes in traffic density. The default is to have audible clicks, indicated in the 
options menu by: 


Y Audible clicks 


By moving the highlight to this item and pressing Spacebar you reverse the ¥ 
(active) to X (inactive). 


Token Ring Options 


Network speed. The NIC is capable of operating at transmission speeds of either 4 
or 16 Mbps. If you move the analyzer to another network, use this menu to select 
the appropriate speed. (An invalid setting may disrupt the ring, so the analyzer 
has provision to back out if it appears to be configured at the wrong speed; see the 
next paragraph.) The choices are: 


|» 16 Mb/s 
| 4Mb/s 


Disconnect if no signal. What should the analyzer do if it receives no signal while 
connected? You may select between two choices: leave the ring immediately or 
remain. The default is to disconnect, indicated in the options menu by the setting: 


/ No signal: remove 


Leaving immediately is a matter of prudence. It protects the ring if you 
inadvertently connect an analyzer at the wrong transmission speed. Connecting a 
token ring analyzer at the wrong speed may severely disrupt the ring. 


If you're certain that the analyzer’s speed matches the network’s speed, you can 
remove this protection. Operating without automatic withdrawal has two 
advantages: 


* When the ring has been broken, you can connect to a fragment and await 
signals as you make other changes to the ring. 

* Ona functioning ring, you can disconnect temporarily and reconnect without 
having to reset the analyzer. 


By moving the highlight to no signal: remove and pressing Spacebar, you reverse 
the Y (active) to X (inactive). 
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PC Network Option 


Bit reversal in DLC address. For compatibility with addresses used on the token 
ring, some PC Network installations reverse the order of bits within each half- 
byte of a DLC address. This misrepresents what was actually transmitted, but 
makes the address as received at the analyzer consistent with the address you 
would see on a token ring. If you’re working on a network that inverts DLC 
addresses in this fashion, you can have the Sniffer analyzer record DLC addresses 
in the same way. Address converted by this option are said to be “flipped” 1. The 
menu item says 


X Flip DLC address 


To activate this option, move the highlight to it and press Spacebar to reverse the 
X (inactive) to v (active). 


WAN/Synchronous Options 


Packet type. You have to tell the analyzer what lower-level protocols the 
synchronous link uses. The lowest level may be either SDLC (IBM’s Synchronous 
Data Link Control protocol), or HDLC (High-level Data Link Control, an ISO 
standard protocol descended from and closely related to SDLC). Neither of these 
affects what higher level protocols are embedded in their frames. The most widely 
used are SNA over SDLC (in IBM installations), and X.25 over HDLC (widespread 
in Europe and increasingly in the US). The analyzer offers two choices: 


HDLC/X.25 ISO X.25 over HDLC (the default). 
SDLC/SNA IBM's SNA (systems network architecture) protocol over SDLC. 


Encoding: Packet numbering. Packets (frames) may be numbered in either of two 
ways that are not readily distinguishable by inspection. One uses 3 bits, the other 7. 
Three-bit (that is, modulo 8) numbering is widely used within the US and Europe, 
but 8-bit encoding is often used in Japan and in international satellite links. The 
menu choices are: 


>» Modulo8 (the default). 
| Modulo 128 


Encoding: Data signalling. The two most common encoding methods for 
SDLC/HDLC are called NRZ and NRZI. Before you start capture, in order to decode 
the transmitted data correctly, you should tell the analyzer which one the network 
uses. The choices are: 


'» NRZ Non-return to zero (the default.) 
| NRZI Non-return to zero inverted. 


For a more detailed discussion of the reasons for this option, see the section starting at page 114, in Chapter 5, 
Displaying and Interpreting Frames. 
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Stopping Capture 


Before you start capturing, you need to tell the analyzer how you want it to stop. 
Once started, capture continues until one of the following happens: 


* You press F10 to stop capture; 
* The trigger event occurs (if you specified that capture should stop then), 
* The buffer fills (if you specified that capture should stop then); 


+ You press F9 to pause capture. That permits you to adjust the display or capture 
filters and then resume capturing frames. 


What You Can Do When Capture Has Stopped 
Once capture has stopped, you can do any of the following: 


* Display the captured frames. You can filter the captured frames so that only the 
ones that interest you are displayed. You can also select the display format. 
Chapter 5 tells you how to display frames once they’re in the capture buffer. 


* Save the captured frames in a data file. A capture file can be used as 


- A-source from which you “capture” frames, much as you would from a live 
network; 


. A source from which you load the capture buffer in order to display frames. 


For details, see page 142. 


* Discard the contents of the capture buffer. When you start a new capture or exit 
from the Sniffer software without having saved the contents of the capture buffer, 
the analyzer warns you that if you proceed it will discard the frames now in the 
buffer. 


Setting the Capture Filters 


From the main menu, move upward until the highlight is on Capture filters. At 
the right you'll see the sub-menu of capture-filter options (visible in Figure 2-3). 
Move the highlight to the right and then up or down as necessary to display or edit 
the options. 


Note: When you specify a capture filter, you are setting the current capture filter, 
stored in working memory. Doing so does not update any stored file containing 
your Sniffer analyzer setup, so the revision is temporary. When you have 
completed your revisions, you can if you wish save a record of the setup. To do 
that, move to files in the main menu, then to save, and finally to setup. (See page 
145 for more information about saving and loading setup files.) 
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| x Unknown stns only | 
Cable Tester < | 
Token Timer < 
Traffic Generator # 


Capture filters 


Filters for address, unknown, station, or 
destination class exist only on a LAN. 


Destination class 
Station address 


Protocol __ 
Pattern maton 


Filter for Fragments or alignment exist 


[rigger only on Ethernet, StarLAN, or PC 
Capture < Network. 

Display | v Good frames 

Fl les v Bad CRC frames Filter for Bad CRC exist only on 
Options . Fragments Ethernet, StarLAN, PC Network or 
Exit # | v Bad alignment WAN/Synchronous . 


Figure 2-3. Choices in the “Capture Filters” menu. Some items may be omitted depending on the 
network . 


Five Kinds of Capture Filters 


Figure 2-4 lists and describes the kinds of capture filters. A frame is accepted if it is 


not rejected by any of the applicable filters. (Put another way, a frame is accepted 
only if it passes all filters.) 


Network | Filter Test Default 
Pattern Does the frame match a set of patterns the None set 
Both WAN match user has specified? (accept any) 
and LAN Frame Should the analyzer accept a frame that is 
quality defective, for example, having 
¢ Bad CRC, or 
* Alignment error. 
WAN only | Direction Is the frame’s source Accept both 
* From DTE 
* From DCE 
Unknown | Should the analyzer accept a frame only No (i.e. no 
station when it contains a source or destination that restriction) 
has not been assigned a symbolic equivalent 
in the current name table? 
LAN only | Destination | Does the frame have a specific destination or Accept both 
class is it broadcast? 
Station Does the frame match any of a list of source-_| None set 
address and-destination pairs? (accept any) 
Protocol Does the frame contain any of a list of low- None set 
level protocols? (accept any) 


Figure 2-4. Types of capture filters. 
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Capture filters take a certain amount of processing time. In general, the more 
complex the capture filter, the greater the time. On a network whose load is light 
or moderate, the processing time is not noticeable. But on a heavily loaded 
network, it limits the speed at which the analyzer can accept frames. If frames 
arrive faster that the analyzer can process them, some may be lost. The number lost 
is recorded in the lost frames counter. If this number begins to rise, it may help to 
adopt a simpler filter. 


Station Address Filters 


During capture, the Sniffer analyzer’s filters consider only the lower levels of 
addressing. On a synchronous communications link, there are only two low-level 
addresses: the two ends of the link. In that context, filtering by DLC address 
doesn’t make sense, and there is no provision for address filters during capture. 


OnaLAN, you can set filters for a frame’s DLC destination. However, recall that 
the DLC destination may describe only the current leg of a much longer journey. 
Higher-level protocols embedded in the frame’s data field may cause the current 
addressee to repack the data and retransmit it with a new address. 


During capture from any of the LANs, you may specify up to four source-and- 
destination pairs for the capture filter. You may also specify what you want done 
with others—that is, frames that don’t match the specifications you provide. 


Naming the Matches 


Each source-and-destination pair that you describe is called a match. To make the 
various matches easier to describe, you may assign them names. (The names don’t 
do anything except help you remember what the various matches are for.) Initially, 
the matches are called match 1 through match 4. To assign a name to one of them, 
move the highlight to match 1 (or whatever) and press Enter. The Sniffer analyzer 
opens a dialog box in which you can write a name (Figure 2-5). Thereafter, you'll 
see the name you enter in place of the name match 1. 


1 Switching to highspeed capture maximizes the capture rate, but gets its extra speed by bypassing all filters and 
most counters. 
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x Unknown stns only 


Destination class 
ECE address J el | From <any stationd 
Protoco| jENTER MATCH NAME ————=To_ <any _stationd 
Pattern match 
Reverse direction 


Include these 
Exclude these 


| 


| 


Figure 2-5. Naming a match in the pattern match section of the capture filters menu. 


For each match, you specify: 


+ Source (select a station name from the name table); 

- Destination (select a station name from the name table); 

- Whether to include frames traveling in the reverse direction; 

- Whether the filter should include or exclude the frames thus identified. 


For a particular address match, the match succeeds when 


+ Its DLC source matches the from address you specify and 


* Its DLC destination matches the to address you specify. 


When you check reverse direction, the match also succeeds when a frame travels 
back from the destination to the source. 


When you check exclude these, a frame is accepted when it matches neither the 
source nor the destination you specified. 


Combined Effect of Several Address Filters 


The Sniffer analyzer evaluates the matches in sequence from Match 1 (or whatever 
you have renamed it) to Match 4. As soon as a match succeeds, the analyzer ceases 
to test that frame for further matches. The frame’s fate is determined by the way 
you set the switch include/exclude for the match that succeeded. 


When none of the four matches succeeds, the frame’s fate is determined by the 
way you set the switch include/exclude others. 


Using Fewer than Four Matches 


It isn’t necessary to set all four matches; indeed, you may not want to set any at all. 
In that case, don’t set the matches you don’t want. A match that contains the 
default setting include <any station> to <any station> is disregarded. When all 
four matches are include <any station> to <any station>, the Sniffer analyzer does 
not use any address filtering during capture. 
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You can temporarily disable a match that you've defined by putting an X in front 
of its match name. The analyzer checks only the matches marked ¥. As usual, you 
switch from Vv to X by highlighting the match’s name and pressing Spacebar. 
When you wish to activate the match again, use the same procedure to switch from 
from X to v. 


Sample Address Filters 
Suppose you're interested in traffic between George or Anita and Server-1, and 


also any traffic going to Gateway-A (but not the reverse). You could specify your 
three matches as shown in Figure 2-6. 


Name for Source Destination | Reverse Include/ 
Match Address Address direction? exclude? 
G's files yes 


A’s files 


Outgoing 


[Match 4] Defaults 


Figure 2-6. Example of a filter-match on three address-pairs 


Before you set the address filters, the menu for each match contains the default 
entry From <any station> to <any station> (Figure 2-5). To change that, use the 
cursor keys to highlight the line labeled from or the line labeled to, and there press 
Enter. The Sniffer analyzer opens a dialog box headed SELECT STATION in 
which you can select an address . (Figure 2-7 shows 6-byte addresses such as those 
used on Ethernet. A Sniffer analyzer for ARCNET or LocalTalk would show the 
one-byte addresses used there. On ARCNET, you have the option to use octal 
rather than hexadecimal to enter or display DLC addresses in the name table.). 


If the name you want appears in the list, scroll to it and press Enter. The Sniffer 
analyzer closes the dialog box and inserts the name you've selected in the space 
after from or to. 
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FSELECT STATION Level ‘Address 

<New station> DLC 

<Any station> DLC XXXUAAXEA XY 
Broadcast DLC FFFFFFFFFFFF 
Fido DLC AA000301131B 
Konig DLC 02608C036310 
Gateway P DLC 026080063841 
Score DLC 02608006388 


Use y and T then press ENTER, or ESC to return. = 


Length of the hex station 
address depends on the 
network 


Figure 2-7. Menu to select a station for a station address filter. The length of the hexadecimal 


address depends on the network. 


If the station you want to name does not appear in the list, move the highlight to 

new station and press Enter. The Sniffer analyzer opens a dialog box to receive a 
new station address and your name for it (Figure 2-8). Pressing Enter updates the 
working copy of the name table. (For further discussion of editing the name table, 


see page 138). 


poELECT STATION 


Enter the new DLC address of the station 
as a hexadecimal value: | 


426080187066 


Enter the name of the new station: 


Eki nuevo I 


Press ESC to abort 


The dialog box requires an 
address of the right length. 


ARCNET or LocalTalk use one-byte 
addresses. 


For ARCNET, you may elect octal 
rather than hex for the name 
table. 


Figure 2-8. Dialog box for inserting a new station address and name. 


Taking Advantage of the Order in Which Matches are Checked 


Suppose you're interested in all traffic to and from Server-1 except for the 
voluminous traffic between Server-1 and Gateway-A, which, if included, would fill 
up the capture buffer with frames that don’t at the moment concern you. Since the 
address filters are evaluated in sequence, you can readily achieve the desired effect 
by first discarding frames between Server-1 and Gateway-A and then accepting 
frames between Server-1 and any destination. The set of matches is summarized in 


Figure 2-9. 
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Name for 
Match 


S1 to others | Server-1 


ource Destination | Reverse Include/ 
Address Address direction? exclude? 
1 


S 
Server- exclude 


include 


[Match 3] [<any>] [include] | Defaults 


[Match 4] [include] | Defaults 


Figure 2-9. Address filter to capture all traffic from a station, but with a major exception 


[<any>] 


Default 


Unknown Address Filter 


When you check Unknown stns only, the Sniffer analyzer accepts a frame only 
when at least one of its two DLC addresses (destination and source) is “unknown.” 
The Sniffer analyzer considers a station to be “unknown” when its address isn’t in 


the working name table, or is in the table but without a name. 


Simply by providing a name (it doesn’t have to be meaningful) for each address 
that is supposed to be present on a LAN, you can detect any frames sent to 
unknown destinations or from unknown sources. The cause of such traffic could be 
illegal hackers, bad data frames, faulty software in the application or the network, 
or network interface cards that have been replaced without notifying the system 
manager. 


Destination Class Filter 


Ona LAN, a frame may either be directed to a specific destination, or to a generic 
address that several—perhaps all—stations can receive. There is no equivalent type 
of transmission over a wide area network, and hence no destination class filter for 
a synchronous link. 


In the name table, you can assign a name to a generic address; for example “Error 
Monitor” or “LAN Manager.” Of course, a generic address will turn up only as a 
destination, never as the source of a frame. In each network, the prescribed form of 
a generic address is such that it is always different from any possible individual 
address. 


Networks permit different types of generic addresses and identify them 
differently. The possibilities are summarized in Figure 2-10. 
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| 


Network Type Description Characteristic Address 
Ethernet, Multicast | A multicast address is a A DLC multicast address 
StarLAN, address collective name for has a 1 in the low-order 
PC Network | (including | several stations. It may be | bit of the first byte, so 

Broadcast) | a role played by one or that in hexadecimal its 
more stations, or by all second character is odd 
stations (for example, (that is, 1, 3, 5, 7,9, B, D 
“Broadcast” ). or F). No individual 
station has an address 
with that bit on. 
Token ring Functional | A functional address is a A DLC functional 
address collective name forarole | address has a 1 in the 
(including | played by one or more high-order bit, so that in 
Broadcast) | stations, by no station (for | hexadecimal it appears 
example “Error monitor” | as a number whose first 
when no station is digit is 8 or more. No 
monitoring errors), or by | individual station has an 
all stations (for example, address with that bit on. 
“Broadcast”). 
ARCNET , The broadcast address is 
A broadcast frame is 00 
Broadcast | accepted by all stations on : 
LocalTalk ae pene may The broadcast address is 
have the broadcast 
address 
WAN/ None 
Synchronous 


Figure 2-10. Types of generic addresses, by network. 


Protocols in the Capture Filter 


While capturing from a synchronous link, there is no option to filter by protocol, 
so this section applies only to LANs.1 


Ona LAN, each DLC frame includes a field that indicates what it contains. 
Depending on the network, this low-level classification is called a SAP (“service 
access point” in the terminology of IEEE 802.2), an Ethertype (on Ethernet and 
StarLAN) or a system code (ARCNET). This is the lowest level at which protocols 
are identified, and the only level that can be used for capture filters. (During 
display, there isn’t the same time pressure so filters can include higher-level 


protocols or addresses.) 


time, the filter would do nothing useful. 


In principle, you could filter for SNA or X.25, but since these would not be intermixed on the same link at the same 
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When you move the highlight in the Capture filters menu to Protocol, the panel to 
the right shows you a list of protocols. Beside each name, there’s a / (check mark) 
if the capture filter accepts it and a X (cross) if it doesn’t. The filter passes frames 
containing any of the protocols you have marked with a check. 


The specific protocols in the list that accompanies the capture filters menu depend 
on the network for which your Sniffer analyzer is prepared and the protocol 
interpreter suites installed in it.! Some typical protocol lists are shown in Figure 2— 


11 
Token ring with IBM, Ethernet or StarLAN |ARCNET with Novell | LocalTalk with 
Novell, and XNS with TCP/IP, Sun and Nestar AppleTalk 


Y/Y MAC frames Y IP SAP / Nestar System code | X ENQ 
/ NetBIOS SAP / SNAP SAP Y Novell System code | ¥ ACK 
/¥ XNS SAP Y Other SAP xX RTS 
/ SNA SAP Y/Y LOOP Ethertype x CTS 
Y Novell NetWare SAP| “ ARP Ethertype / DDP 
/¥ SNAP SAP Y IP Ethertype 

¥ U-B SAP /Y TRLR Ethertype 


Y Other system codes 


Y Other 


¥ Other SAP 


Y Other Ethertype 
Figure 2-11. DLC protocols typically available for capture filters, by network. 


By moving the highlight rightward to the list of protocols, you can select protocols 
for the capture filter. While a protocol is highlighted, pressing Spacebar toggles the 
mark beside it from ¥ (selected) to X (not selected) or vice versa. Pressing Alt- 
Spacebar reverses all of them. 


The last entry on the list of protocols is “other”; here you indicate what should be 
done with a protocol that isn’t any of those the analyzer recognizes. 


For most networks, the analyzer’s default setting is a check mark for every 
protocol, so every protocol is accepted. On LocalTalk, the four low-level protocols 
enquire, acknowledge, request to send and clear to send are by default off, since 
they occur so frequently as precursors to DDP frames. 


Pattern Matching 


A pattern is a particular sequence of bits within a frame. Ina simple pattern, the 
bits occur at just one location. In a complex pattern, a set of of up to eight simple 
patterns is linked by AND, OR, or NOT. The resulting set of patterns becomes one of 
the filters applied during capture. The Sniffer analyzer uses the same mechanism 
to set up patterns in four different contexts: 


1 When you highlight the word protocol, the lower panel lists the installed protocol interpreter suites. It identifies 
them by part number. 
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Capture filters. The Sniffer analyzer captures frames that contain the set of 
patterns. 


(During capture, the analyzer doesn’t have time to invoke its interpreters for high- 
level protocols. You can’t directly filter on high-level protocol or address. 
However, you achieve the same effect when you specify a pattern that occurs only 
in a particular protocol.) 


Trigger. The Trigger fires when the Sniffer analyzer finds a frame that matches the 
set of patterns. 


Display filters. During display of frames in the the capture buffer, the Sniffer 
analyzer restricts display to those that match the set of patterns. 


Search for frame. During display of frames in the the capture buffer, the Sniffer 
analyzer searches forward to the next frame that contains the set of patterns. 


The following section tells how to define a set of patterns for a capture filter. The 
procedure is the same in the other three contexts. 


Top-Down Description of a Set of Patterns 


The panel to the right of pattern match shows rules for combining four sub- 
patterns into a set. To help recognize the four component patterns, you can assign 
each a name to replace the default names Match 1, Match 2, etc. Your substitute 
names don’t affect the processing, but may remind you what each component 
pattern is. You assign a name to a match in the same way as to a station-address 
match (Figure 2-5, page 44). That is, move the highlight to Match 1 (or whatever) 
and there press Enter. The Sniffer analyzer opens a dialog box to receive your 
substitute name. 


|PMatch 
| | Don't match 
x Either offset 
Destination class | J Match 1 4 
Station address | AND | Pattern = XXX¥... d 
Protocol POR Offset = 000 4 
Pattern match | J Hatch 2 ¢ pe 
| || AND OR 
/ Good frames POR Pattern = XXXX... # 
J Bad CRC frames / Match 3 4 Offset = 000 4 
/ Fragments | AND 
Y Bad alignment POR Hexadecimal 
/ Match 4 4 | Character 
Binary 


Figure 2-12. Menu item to assign a match name within the pattern match menu for 
capture filters. 


Each match is made up of a pair of patterns linked by AND or OR. When you 
highlight a match name, the panel to the right shows its two component patterns 
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(Figure 2-12). Initially, all eight of the individual patterns positions contain X (for 
anything), and all the offsets are 00. 


A pattern whose characters are all X has no effect. Thus, when your filter doesn’t 
need all eight of the individual patterns, you don’t have to set the ones you don’t 
use. Similarly, when you don’t need all four of the matches, you don’t have to set 
the ones you don’t use. When you use some but not others, it doesn’t matter which 
ones you use and which you leave at their defaults. 


Temporarily Deactivating a Match. Beside each match the symbol ¥ indicates that 
it is active or X indicates that it is inactive. By default, they’re all active. You can 
deactivate a match temporarily by highlighting its match name and pressing 
Spacebar to change its Y to X. The same procedure also serves to reactivate the 
match when it is inactive. 


Match/Don’t Match. For each match (that is, each pair of patterns), you set a radio 
control to indicate whether the match is successful when a frame contains the 
pattern (match) or does not contain the pattern (don’t match). The default is match 
(visible at to the top right of Figure 2-12). 


Either offset. For each match, you have the option to select either offset. Each 
match may have one or two patterns, linked by a conjunction.! For each pattern, 
you specify an offset (its location in the frame). Think of them as pattern A at offset 
A, and pattern B at offset B. Then the default match (without either offset) is 
satisfied by: 


| Pattern A at Offset A AND Pattern B at Offset B | 


When you check either offset, the match is also successful when pattern A is found 
at offset B and pattern B is found at offset A. 


(Pattern A at Offset A AND Pattern B at Offset B) 
OR 
(Pattern A at OffsetB AND Pattern B at Offset A) 


This is useful when two patterns swap positions with each other in different 
frames. For example, an exchange between client and server over TCP might 
involve the “well known port” number of the server and a transient port number 
assigned to the client. In the exchange, the port numbers occur in the offsets 
corresponding to source port and to destination port differently, depending on 
who sent the frame. Checking either offset thus matches traffic in both directions 
between this pair of ports. 


By default, the conjunction is AND. You have the option to make it OR instead. In that case, in the example that 
follows, replace each occurrence of AND by OR. 
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Characters and Offset in an Individual Pattern 


Each individual pattern is described by its position and the characters (or bits) it 
contains. A pattern may contain up to 32 characters. 


Before you specify the pattern’s content, first decided whether you will enter it as 
hexadecimal, as characters or as binary. The default is hexadecimal. A set of radio 
controls at the bottom of the panel selects one of the three, as follows: 


Hexadecimal: Specify up to 16 bytes, as 32 pairs, each 00 through FF. 


Character: Specify up to 32 bytes, each an ASCII character enterable from the 
keyboard. 


Binary: Specify up to 4 bytes, as 32 binary bits each 0 or 1. 


In hexadecimal or binary, an X means anything at that position. In ASCII character 
mode, Alt-x has the same effect; when you press Alt-x, the corresponding position 
is shaded, like this: 


Having decided how you will enter the pattern’s characters, move the highlight to 
pattern= and press Enter. The Sniffer analyzer opens a dialog box in which you 
can write the characters (Figure 2-13). 


Enter a pattern in hex, using X for don't-care: 
OBOOXXXXXXXXXXXXXXXXXXXXXXXXXXXY! 


(Press Tt to set the pattern from the data 
currently highlighted in the hex window.) 


Press ESC to abort 


Figure 2-13. Dialog box to accept a pattern for the pattern match filter. 
Press Enter to record the pattern. 


The position at which a set of characters is located is described by its offset. On 
token ring and certain other LANs, some frames contain a variable-length field 
called source routing information.1 The field, when present, comes after the DLC 
destination and source address, but before the regular data field. Thus, the position 
of data within a particular frame depends on whether that frame contains a source 
routing field. To allow for this uncertainty, you can state the offset in either of two 
ways: 


For a discussion of the structure of the source routing information field, see the section on routing information on 
page 88. 
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Frame relative: Describe location as the number of bytes from the start of the frame. 


Data relative: Describe location as the number of bytes from the start of the frame’s 
data segment; that is, from the start of the 802.2 frame. 


When a frame’s source and destination are on the same network, it requires no 
forwarding, and the routing field is frequently (but not universally) omitted. When 
you are confident that all the frames that interest you are in the same format (all 
with a routing field or all without) it’s safe to use a frame-relative offset. 
Otherwise, you need a data-relative offset. When you specify a data-relative offset, 
the analyzer adjusts the offset to compensate for the length of each frame’s routing 
field. 


To enter the pattern’s offset, move the highlight to offset= and there press Enter. 
The Sniffer analyzer opens a box in which you can write the value of the offset. The 
offset is always in hexadecimal. 


ENTER BYTE OFFSET 


| Enter a byte offset in hexadecimal: 
| Press ESC to abort 


Figure 2-14. Dialog box to accept offset to start of a pattern. 


Press Enter to record the offset. 


Cut and Paste a Pattern from the Display Hex Window 


Step 1. 
Step 2. 


Step 3. 


Step 4. 
Step 5. 


Step 6. 
Step 7. 


If you have already captured a frame that contains the pattern you want, you can 
have the analyzer copy its characters and its offset, so you don’t have to type them. 
(This procedure makes use of the hex and detail views from the display menu, 
described in Chapter 5.) Proceed as follows: 


Set your display to include both the hex view and the detail view. 
Find the frame that contains the pattern you want. 


In the detail view, move the highlight to the field you want. This automatically 
moves the hex view’s highlight to that field too. 


While the field is highlighted, press F5 to return to the main menu. 


Select capture filters, then pattern match, then to one of the four matches. Move 
rightward to specify its pattern. 


If need be, move up to select frame-relative or data-relative offset. 


Move to the line that contains pattern= and press Enter. That brings you to the 
entry box shown earlier (Figure 2-13, page 52). 
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Step 8. Press the Cursor Up key. That copies the characters that were highlighted in the 


hex view into the pattern entry dialog box. Press Enter to record the pattern. 


Step 9. Move to the line that contains offset= and press Enter. That opens the other entry 


box. Press the Cursor Up key. That copies the pattern’s offset into the offset dialog 
box. Press Enter to record the offset. 


Pattern Match Example in a Capture Filter 


The following example is based on the use of Telnet over TCP/IP over Ethernet. 
However, the general strategy for setting a pattern match are not specific to the 
network or protocols of the example. 


Suppose you get a complaint from the user of a terminal emulation package. She 
says that when she’s connected to a remote host, the network software confuses the 
actions of the Backspace and Delete keys, which (in this application) are supposed 
to do different things. Who is mixing them up? The emulator at the PC? The 
application at the host? The network software between them? 


Asa first step, you might examine what the emulator transmits to the host when 
the user presses Backspace and when she presses Delete, and what the host echoes 
back to each. (Telnet supports a terminal by transmitting one character at a time to 
the host. Usually, the host echoes each displayable character back to the terminal.) 


To study what happens, you need a filter that retains only those frames that 
include either Backspace or Delete embedded in a Telnet frame passing between 
the host and the user’s terminal emulation program. You can’t set a capture filter 
for the Telnet protocol explicitly (since you can’t filter on high-level protocols 
during capture). But you can achieve the same result with pattern matching. Here’s 
how you discover a pattern that identifies not just a Telnet frame, but one whose 
content involves the characters in question. 


First set an address filter to select all frames sent from the terminal emulator, and 
ask the user to do something that involves Backspace and then something that 
involves Delete. Browsing through the frames thus captured, you readily find 
Telnet frames addressed to the host. Examining them, you see that each consists of: 


A DLC frame (with a DLC source and destination), and within that 
An IP frame (with an IP source and destination), and within that 
A TCP frame (with a TCP source and destination of “Telnet”), and within that 


A Telnet frame containing the record of a keystroke sent from the terminal 
emulator to the host. 


To study how the program treats Backspace and Delete, you take advantage of the 
“cut and paste” facility to set a capture filter to match the following pattern. A 
frame is accepted when: 


+ Itcontains the IP protocol number for “TCP” (hex “06” at offset 17) 


and 
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. Itcontains the TCP code for Telnet data (indicated by a TCP source or 
destination port number of hexadecimal 17) 


and 


- Its IP source is the address of the PC running the terminal emulator, and its IP 
destination is the address of the host, or vice versa (by checking either offset). 


and 
- The Telnet data is either the code for delete (7F) or the code for backspace (08). 


IP protocol 
(at offset hex 17) 
= 6, "TCP" 
SAND OGXXXXXXXXXXXXXXAXAXXAKXKXKAAAAT 017 
lop Pattern Offset 
TCP source port me ponecenerecuenenenonocoenenveuees RUN) 
(at hex 22) or »Frame-relative |p>Match x Either 
us estate port 'Data-relative || Don't match _ offset 
at hex 24 — 
= 23 (hex 17) 
W Ml : 022 
Telnet Offset 


024 


Pattern: as Offset 
»Frame-relative |®Match x Either 
| Data-relative Don't match offset 


243800D0IXK 


O1A 
Offset 


IP source address 
O1E 


= [36.53.0.195] Patten ce Offset 
(hex 243500C3), yy »Frame-relative |>Match v Either 
and IP destination address '/ Data-relative | Don't match _— offset 
= [36.56.0.208] <n 
(hex 243800D0), Fs 036 
or vice versa = Offset 
036 
Offset 
Telnet data |>Frame-r ve pen _ #x Either 
(starts at hex 36) | Data-re e | Don't match offset 
is either 7F (delete) : 
or 08 (backspace) 


Figure 2-15. Example of a pattern match in the capture filter 


Figure 2-15 depicts the way pairs of individual patterns are combined to form 
matches, and the resulting matches are combined to form the filter. The diagram is 
shaded to emphasize the way the various components are grouped. The fields 
show data for the example just described. (Of course in a real situation the IP 
addresses would be different, but the values for “Telnet” and “TCP” are 
appropriate.) 
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Filters for Defective Frames 
on WAN/Synchronous, Ethernet, StarLAN or PC Network 


On a synchronous link or on Ethernet, StarLAN or PC Network, the Sniffer 
analyzer can filter arriving frames for the presence or absence of certain defects. 
This filter is available only if the network interface card retains defective frame and 
passes them to the Sniffer analyzer. The NICs for other networks simply discard 
defective frames. If you are using the Sniffer analyzer for ARCNET, LocalTalk, or 
token ring, these filters don’t appear in your capture filters menu and you should 
skip this section of the manual. 


The possible filters are indicated by check marks in Figure 2-16: 


WAN/Synchronous | Ethernet, StarLAN, PC Network 


Good frames / | Frames having none of the defects listed below 


Bad CRC frames |v | ¥ | Frames having a defective CRC 
| feet redundancy check) 


Fragments Vv | Frames having less than the minimum length. (These 
arise when a station detects that its transmission is 
colliding with the transmission of another station, and 
aborts its own transmission). 


Bad alignment / | Frames whose length is not an integer multiple of 8 bits, 
and hence cannot be unambiguously resolved into bytes. 


Figure 2-16. Filters for frame defects. 


Defects are described by categories that overlap. A frame with bad alignment is 
probably a fragment and most likely has a bad CRC. To avoid counting the same 
defects several times, the Sniffer analyzer does not assign a frame to more than one 
category of defect. It checks for defects in a fixed sequence; if it finds one, it moves 
on the next frame. The sequence is as follows: 


1. Is the total length sufficient? If not, report that the frame is a fragment, and 
discontinue checking. 


2. Is the alignment correct? If not, report that the frame has bad alignment and 
discontinue checking. 


Is the CRC correct? If not, report that the frame has bad CRC. 


If none of the above, report that the frame is a good frame. 
Working Definitions of “Fragment” 
Ethernet and StarLAN require that a frame contain at least 60 bytes. There, any 


frame with fewer than 60 bytes is considered a fragment, and is so classified by the 
Sniffer analyzers for Ethernet and StarLAN. 
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PC Network has no established minimum frame length. The Sniffer analyzer 
assumes that a length less than 16 bytes must be a fragment. Thus, if a station on 
PC Network generates a fragment having 16 or more bytes, it is almost certainly 
detected as invalid, but is classified not as a fragment but as a frame with bad 
alignment or bad CRC. 


Setting the Trigger 
The trigger event anchors and terminates the Sniffer analyzer’s capture of frames. 


When the trigger event occurs, the analyzer emits a chime. Normally, the analyzer 
then stops capturing frames and freezes the capture buffer. The buffer contains the 
trigger frame, and also frames that preceded it, or (optionally) frames that followed 
it. When you set up the trigger, you specify whether capture should cease 
immediately (so that the trigger frame is the last frame in the buffer), or ceases 
after a delay (so that the buffer also contains frames that arrived later). 


There are two kinds of trigger event: internal and external. 


Internal trigger: The Sniffer analyzer detects the arrival of a frame that matches the 
pattern you specified. 


External trigger The Sniffer analyzer detects a signal at its serial port. Typically, the 
signal is sent by another computer, linked to the Sniffer analyzer by 
connecting them serial-port-to-serial-port. The signal might also be sent 
by a sensor connected to the serial port. 


You can also have the Sniffer analyzer send a signal to the serial port 
when the trigger event occurs. The signal could notify another 
computer or device connected to the serial port. 


Setting an External Trigger or Signal 


Within the trigger menu, move the highlight to external trigger. Use the space bar 
to activate one of the two options: 


Direction | Signal at Serial Port 


From This option sets the Sniffer analyzer’s serial port to receive a trigger signal 
COM1 from an external device. The analyzer monitors Clear to Send and Data 
Set Ready. A change in either causes a trigger event. 


This option sets the Sniffer analyzer’s serial port to send a signal to an 
external device when it detects a trigger event. The analyzer signals 
Request to Send and to Data Terminal Ready. Both are inactive (negative) 
when capture starts. When a trigger event occurs, RTS is pulsed active 

(positive) for about one microsecond and DTR becomes and remains active. 


Figure 2-17. “To” and “From” options in the External trigger menu. 
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Although the procedure for using an external trigger is the same for each Sniffer 
analyzer, the serial ports differ between models. The serial port on the Series 500 is 
a DB9 connector. 


Figure 2-18 shows which pins are involved, and figure 2-19 shows where the pins 
are located in the serial port. 


Sniffer 300 or 500 
COM1: male DB9 connector 


Series 700 
COM1: male DB25 connector 


From COM1: 
Analyzer receives 
notice of a trigger 
event as a signal 
arriving at COM1 
CTS/DSR 


The analyzer monitors Clear 
to Send (pin 8) and Data Set 
Ready (pin 6). A change in 
either signal causes a trigger 
event. 


The analyzer monitors Clear 
to Send (pin 5) and Data Set 
Ready (pin 6). A change in 
either signal causes a trigger 
event. 


To COM1: 
Analyzer reports 
that a trigger 
event has 
occurred by 
sending a signal to 
COM1 RTS/DTR 


The analyzer sends a signal 
to Request to Send (pin 7) 
and to Data Terminal Ready 
(pin 4). Both are inactive 
(negative) when you start 
capture. When a trigger 
event occurs, RTS is pulsed 
active (positive) for about 
one microsecond and DTR 
becomes and remains active. 


Figure 2-18. Pin connections for the External trigger. 


The analyzer sends a signal 
to Request to Send (pin 4) 
and to Data Terminal Ready 
(pin 20). Both are inactive 
(negative) when you start 
capture. When a trigger 
event occurs, RTS is pulsed 
active (positive) for about 
one microsecond and DTR 
becomes and remains active. 


Series 300 and 500 


F (on cable) 


| | a, 
( Tetle-osa (I~ 
i | Se gel | =| 


M (on chassis) 


Pin 6 


F (on cable) 


Series 700 


M (on chassis) 


Pin 25 
Pin 13 as) 


20=DTR 
o+ 6=DSR 
eo+-5=CTS 
°-—-4=RTS 
e 
e 


ee e 
pos a 
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Figure 2-19. Locations of the pins used for external trigger signals. 
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Monitor Two Sides of a Bridge 


The external trigger feature is especially useful for monitoring network traffic on 
two sides of a bridge. To take advantage of this feature, you need two Sniffer 
analyzers, one on each side of the bridge. Connect the serial ports of the two 
analyzers. (If the two analyzers are models that use the same type of connector, a 
standard null modem cable should suffice.) 


Select the trigger in the analyzer main menu. From the trigger menu, select 
external trigger and then from/to. To select these options move the highlight to 
your choice and press the space bar. Notice the X next to that feature has been 
replaced with a W indicating the option is turned on. Set a pattern match and/or 
address match on both analyzers. 


If either Sniffer analyzer receives a triggering frame (a trigger event) while they are 
both monitoring traffic on their respective sides of the bridge, the analyzer that 
was triggered first then triggers the other, using the external trigger mechanism. 


Stopping Capture and Positioning the Trigger Frame 


Part of the Trigger menu describes the procedure for stopping capture. Here’s 
where you specify what you want to happen when the trigger event occurs or the 
capture buffer fills. 


If the Sniffer analyzer stops capturing when it detects a matching frame, the trigger 
frame is the last frame to reach the buffer and all other frames in the buffer arrived 
earlier. If the Sniffer analyzer doesn’t stop until the trigger frame is about to be 
pushed out of the capture buffer, the trigger frame is the first frame remaining in 
the buffer and all the other frames arrived later. 


Depending on whether you want to look at frames that precede the trigger event 
or those that follow it, you set stopping capture to specify the proportion of space 
in the buffer for frames captured before and after the trigger event. Your choices 
run from 0% to 100% preceding the trigger frame, in steps of 25%. 


To indicate your choice, move the cursor so that it highlights the percentage you 
want, and press the space bar. That moves the |» symbol (the arrowhead of the 
radio control) to the highlighted item. (The value you pick determines the 
proportion of space in the capture buffer, not the number of frames.) 


Caution. If you fail to specify a stopping position and leave the switch set to 
continuous capture, even though you have set a trigger, the occurrence of a frame 
that matches your trigger conditions does not stop capture. As capture continues, 
the trigger frame will move through the buffer and will be discarded as other 
frames continue to arrive and replace those stored earlier. 
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| 
Effect 


Option 
Stop when full| Even if the trigger event has not occurred, capture stops 
when there is no more space in the capture buffer. 
Continuous | The frames that arrived earlier are discarded to make room 
capture) in the capture buffer for the newer arrivals. When the trigger 


event occurs, the analyzer (as usual) emits a chime, but 
doesn’t stop capturing. If nothing else happens to stop 
capture, eventually so many frames will arrive that the 
trigger frame will be pushed out of the buffer. 


0% pretrigger 


Capture continues until the trigger frame is the oldest 
remaining in the capture buffer (frame 1), and all other 
frames follow it. 


25% pretrigger 


Capture continues until 25% of the space in the capture 
buffer is devoted to frames that arrived before the trigger 
frame. 


50% pretrigger 


As above, but 50% of the space in the capture buffer is 
devoted to frames that arrived before the trigger frame. 


75% pretrigger 


As above, but 75% of the space in the capture buffer is 
devoted to frames that arrived before the trigger frame. 


100% pretrigger 


Capture stops at once, so that the trigger frame is the last to 
arrive in the capture buffer and all other frames preceded it. 


Figure 2-20. Meaning of “stop capture” options in the trigger menu. 


Setting an Internal Trigger 


The internal trigger is a match for a set of patterns. The procedure to establish the 
set of component patterns and the logical relations between them is the same as the 
procedure used to establish patterns for the capture filter. 


In the main menu, move the highlight to Trigger. 


In the panel to the right of trigger, move the highlight to one of the four rows 
marked Match 1, Match 2, etc. From each of those, move rightward to insert a 
pattern and offset (or a pair of patterns and offsets). 


See page 55 for a diagram of the logic of joining several component patterns into a 
complex pattern. Figure 2-21 contains three examples of simple triggers; although 
the contexts differ, the principle is the same. In all cases, the easiest way to specify 
the pattern and offset is to find a captured frame that contains the desired pattern, 
highlight the relevant field in the detail view, and use the “cut and paste” feature 
to copy them to the pattern-match box. (See page 53 a discussion of cutting and 
pasting the specifications of a pattern.) 
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Token ring analyzer with 
IBM interpreter suite 


Ethernet analyzer with 
XNS interpreter suite 
(connected to 3Com+) 


ARCNET analyzer 
with Novell interpreter 
suite 


To trigger on a frame 
reporting an SMB error, 
you might first set the 
capture filter to pass only 
NETBIOS frames. Then 
set the trigger to freeze 
the capture buffer when it 
finds that the primary 
SMB return code is not 
equal to 00 (zero means 
“normal” ). In an IBM 
SMB frame, the primary 
return code is a single 
byte located at data- 
relative offset 27. 


To trigger on a frame 
reporting an SMB error, 
you might first set the 
capture filter to pass only 
XNS frames. Then set the 
trigger to freeze the 
capture buffer when it 
finds that the primary 
SMB return code is not 
equal to 00 (zero means 
“normal”). In an XNS 
SMB frame, the primary 
return code is a single 
byte located at data- 
relative offset 3D. 


To trigger on a frame 
containing a Novell 
fileserver “file open” 
request, you might first 
set the capture filter to 
pass only Novell 
frames. Then set the 
trigger to freeze the 
capture buffer when it 
finds that the request 
code is equal to 4C. In 
a Novell frame, the 
request is a single byte 
located at data-relative 
offset 2C. 


Figure 2-21. Sample trigger pattern for three networks. 


Marking the Trigger Frame 


When the Sniffer analyzer matches the trigger pattern, it reports that fact by 
changing the label in the upper left corner of the screen from CAPTURING to 


TRIGGERED (Figure 2-28). When you display the contents of the capture buffer, 
the trigger frame is marked with the letter T (see the section entitled Flags Option, 


page 108). During display, you can jump to the trigger frame, or if you wish, 
display time relative to the arrival of the trigger frame (see the section entitled 
Searching and Jumping, page 128). 


The capture buffer never contains more than one frame marked T. Suppose you set 
stopping capture so that capture continues after a trigger frame arrives. Suppose 
another matching frame arrives. What happens? Only the first is considered the 


trigger frame, and only the first is reported and marked. 


The Capture Menu 


After you've set up your capture filters and you've specified when capture should 
stop (in the trigger menu) , there are still some options you may want to set in the 
capture menu before you press the button to start capture. 


Buffer size. This item isn’t really an option. It reports the number of kilobytes your 
machine has allocated to the capture buffer. Press Enter to see a detailed report of 
memory allocation. 
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Frame size. This option sets the maximum length to which frames are truncated 
before entering the capture buffer. The options are: 32, 64, 128, 256, 5121 bytes, or 
whole frame. Default: whole frame. 


Units. This option sets the units in two areas of display: 


Units for the horizontal traffic density bar graph that shows current and 
“high water” traffic density while capture proceeds. 


Units used in traffic counters by station, by station pair, or by various 
classifications (varying with the network). 


Options are: Frame counts, kilobyte counts or (on a LAN) NW usage. Default: 
Frame counts. 


Scale linearity. This option sets the scale for the horizontal traffic density bar 
graph that shows current and “high water” traffic density while capture proceeds. 
The options are: Linear or logarithmic. The default is logarithmic. 


Display during capture. This option selects the type of display during capture from 
among the following: 


* Frame counters. (WAN/Synchronous only). Traffic is tabulated by type, 
separately for DTE and DCE, and by logical call. The scrollable panel of logical 
calls may show all calls (the default) or only active calls. 


* Individual counts. (LANs only). Traffic is tabulated by DLC source address. 


* Pair counts. (LANs only.) Traffic is tabulated by DLC source and destination 
address. 


* Matrix. (LocalTalk and ARCNET only). A variant of individual counts ina 
16x16 table (for networks with one-byte addressing). 


* Skylines. Histograms summarizing network activity at selectable intervals. 
Depending on the size of the display window, there are from 2 to 5 
histograms. The intervals are: every second, every minute, or every hour. 
Default: every second. 


The default is to display frame counters (on a synchronous link) or pair counts (on 
a LAN).; 


Source. The source from which frames are captured is indicated by the entry From 
<Xxxxxxx> at the bottom of the capture menu. Pressing Enter opens a dialog box in 
which you select the network (for live capture) or the name of a file (to replay 
capture from a file). The default is to capture from the network. 


Effect of Truncating Frames 


When you're primarily interested in the frames’ low-level headers, you can 
truncate frames that exceed a certain length and thereby fit more frames into the 


1 On ARCNET no frame can be longer than 512 bytes, so there’s no option to select a 512-byte cutoff. 
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capture buffer. On a very busy network, truncation may also help avoid losing 
frames, since a longer frame takes slightly longer to store. 


When each high-level frame is entirely contained within a lower-level frame, 
truncation leaves you the headers and discards part of the high-level data. Since 
the headers usually contain the information you need for analysis, little is lost by 
discarding the later parts of the frame. 


Each high-level frame entirely enclosed in a lower-level frame 
fae ee = | fe 
| m= | 


High-level frames, each spanning several lower-level frames 


Figure 2-22. Effect of high-level frames spanning multiple DLC frames. 


However, some high-level protocols (for example, TCP) are byte-oriented rather 
than packet-oriented, and some protocols (for example, ISO or X ) permit very long 
messages. As a result a single ISO or X message may span several lower-level 
frames. 


Figure 2-22 shows how a sequence of variable-length higher-level frames may be 
arbitrarily sliced and packed into frames of an intermediate byte-oriented protocol 
such as TCP. The start of a new spanned frame is not required to force a new 
lower-level frame. Thus, an X header (for example) may occur at any position in a 
TCP frame’s data field. If your analysis requires keeping track of the headers of 
high-level spanned frames, it is essential to save whole frames, since the headers 
and boundaries of the highest levels may otherwise be lost. 


Scales and Units Displayed During Capture 


Totals. The analyzer always reports the total number of frames it has seen 
(whether or not they passed its capture filters), and the total number of kilobytes 
they contained. On a synchronous link or token ring, these totals are reported 
directly as “frames seen” and “kilobytes seen.” On other networks, there is no 
single total for “frames seen,” but separate counts for various subtotals. For 
example, on Ethernet, StarLAN, or PC Network, there are totals for: 


* Total number of good frames 
* Total number of defective frames . 


* Total number of lost frames. 


On ARCNET, there is also a counter for the total number of token reconfigurations. 
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Buffer utilization. As capture proceeds, the analyzer continuously updates a 
counter showing the percentage of the capture buffer that has been filled. 


Chime. When the trigger is detected or when the buffer fills, the analyzer emits an 
audible chime. 


Momentary and “Highwater” Display of Traffic Density 


As capture proceeds (whether with meters or “skylines”) the Sniffer analyzer 
displays a thermometer-style horizontal bar to show real-time variations in traffic 
density (Figure 2-23). For LAN traffic, there’s a single bar. On a synchronous link, 
there are two separate bars, one showing traffic from DTE and the other showing 
traffic from DCE. Each bar is updated every second. Each shows a moving average 
of the last half second’s activity and the “high water”—that is, the maximum 
recorded during the current capture session. 


Local area network, with frames option 
: : 7 ! 
1 10 30 100 300 1000 3000 
Frames per second 
| | 
100 350 
Frames per second 


Figure 2-23. Traffic density bar graph for LAN and WAN/synchronous link. 


Line Status on the Synchronous Link 


Whether you choose counters or skylines, during capture the WAN/ synchronous 

Sniffer analyzer includes a one-line summary of the line’s status (Figure 2-24). The 
display shows the RS232 indicators RxC, TxC, RxD, TxD, CTS, RTS, DSR and DTR. 
The condition of each is indicated by the symbol Tt | or +. The symbol f indicates a 


logical 1, 1 indicates a logical 0, and t indicates that the indicator’s status has 
changed in the last second. 


O CRC Errors ¢RxC 2TxC tRxD 4TxD TCTS TRTS TDSR TDTR 0 Lost Frames 


Figure 2-24. Line status indicators on a synchronous link. 
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Units for the Meters and Traffic Density Bar Graph 


You can select the units that the analyzer reports during capture. Your choice 
affects both the traffic density bar graph (which appears regardless of whether you 
choose counters or skylines) and the units that are tabulated when you select the 
skylines option. 


The choices and their effects are listed in Figure 2-25 The default is frame counts. 


Units Units Units Totals 

in Counters | in Skylines (on the traffic (above the traffic 

(when used) | (when used) | density bar graph) | density bar graph) 
Frame counts Frames Frames Frames 

unaffected 

Kilobyte counts | Kilobytes Kilobytes Kilobytes oe ria 
Network usage Kilobytes Kilobytes Percentage of 
(LAN only) bandwidth 


Figure 2-25. Capture menu options for frames, kilobytes or usage. 


Linear vs. Logarithmic Scale for the Traffic Density Bar Graph 


You can select either a logarithmic or a linear horizontal scale for the traffic density 
bar graph. When the overall density is low, small variations are easier to see on a 
logarithmic scale (the default). The choices are listed in Figure 2-26. 


Linear A fixed distance (say 1 cm) corresponds to an absolute change in 
traffic density (say, 10,000 frames). 

Logarithmic A fixed distance (say 1 cm) corresponds to a relative change (say, 
10%), 


Figure 2-26. Capture menu options for linear or logarithmic scale. 


Choice of Counters, Skylines, or Neither 


During capture, the Sniffer analyzer normally displays either a table of 
continuously-updated counters, or a set of continuously updated histograms 
(called “skylines”). You indicate which you want by selecting skylines or one of 
the counter options. 


On some networks you may also elect highspeed mode, which turns off the 
display of counters or skylines to save time. 


Ona synchronous link, there is only one counter option (labeled frame counts), 
but a LAN offers two or three alternative formats for the counters. 
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Choice of Format for Traffic Counters on a LAN 


When you're working on a synchronous link, your menu contains only the 
alternatives frame counts or skylines. But on a LAN, you have two or three 
variations of frame counts to chose from. They are summarized in Figure 2-27. 


Individual | The analyzer tabulates the accepted frames by DLC source. Address 
counts are listed in the order encountered during capture. A count is kept 
for as many stations as can be reported in the visible display space.1 


Pair counts | The analyzer tabulates accepted frames by DLC source and 
destination. Address-pairs are listed in the order encountered during 
capture. A count is kept for as many stations as can be reported in 
the visible display space.1 


Matrix On ARCNET or LocalTalk ( networks that assign each station a one- 
display byte local address), all possible source addresses are arranged ina 
16x16 matrix with labels around the edges. This assures you can 
count any possible source, but precludes attaching names to the 
sources. 


Figure 2-27. Alternative traffic counters on a LAN. 


Capture Live from the Network or Played Back from a File 


The source is controlled by the capture option labeled From <xxxxx>. At the 
bottom of the capture menu, you'll see from followed by the name of the network, 
for example from Ethernet or from token ring, etc., as appropriate. When you 
capture from a file, this part of the menu shows from followed by the name of the 
file. 


To change the source of capture, move the highlight to From and press Enter. The 
Sniffer analyzer opens a dialog box from which you can select the source you 
want.2 


Highspeed Capture 


2 


On certain combinations of platform and network, sustained highspeed traffic 
might outrun the analyzer’s ability to capture every frame. To permit the analyzer 
to give maximum time to the process of capture, the highspeed option suppresses 
the display of counters or skylines. You still get a count of total frames. It is 
displayed in a small panel superimposed on the usual display, which is otherwise 


The available space varies somewhat. It may vary by a line or two, depending on the network . It may vary by 
considerably more when you direct display to SniffMaster I or to a high-resolution external display 


The option to flip DLC address, available for PC Network, applies regardless of whether you capture from the 
network or from a file. 
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frozen. The capture menu includes this option only for a network that might need 
it and a platform that can take advantage of it.1 When present, the menu item says 


X Highspeed 


To activate this option, move the highlight to it and press Spacebar to reverse the 
X (inactive) to V (active). 


Starting Capture 


When you have set up the capture filters and triggers and have specified the 
capture options you want, you're ready to start capture. 


Move the highlight to capture in the main menu, and press Enter. The Sniffer 
analyzer starts capturing frames. The screen changes to the type of display you've 
chosen: pair counts, individual counts, or skylines, with the scales and measures 
you indicated. 


Capture with Pair Counts 


1 


For each pair of communicating stations, the Sniffer analyzer updates a counter. 
The counter shows frames or kilobytes, as you elected in the capture menu. The 
table is initially blank. As the analyzer notices traffic between a station pair that it 
hasn’t seen before, it adds an entry. For each pair, there’s a counter for traffic in the 
direction first observed, and a second for traffic in the reverse direction. The 
number closest to the station’s name describes transmissions from that station to the 
other station. 


The analyzer adds pairs as it encounters them until it has used all available 
positions on the screen. (If you have an external monitor with a larger screen, you 
can display more.) After that, it continues to update the grand totals and the 
counts for the entries on the screen, but does not record details of pairs that aren't 
on the screen. 


Figure 2-28 shows the screen following a lengthy capture with pair counts. 
Although it was recorded from an Ethernet LAN, the screen would be quite similar 
for any other LAN. Figure 2-32 (page 72) shows a screen reporting capture on a 
synchronous link. 


In Figure 2-28, most stations are identified by names because a name table 
containing most of the DLC addresses had been created before capture started. The 
table had no name for the station shown as Exceln923931. The address that appears 
as AAAAAAAAAAAA (in both source and destination!) is spurious; in this particular 
case, it appeared because a station with a defective card transmitted several 
fragments when first turned on. Each fragment contained nothing but the character 


Currently, all models for Ethernet or PC Network. 
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hex A in every field. Setting the capture filter to exclude defective frames would 


eliminate this spurious entry. 
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Figure 2-28. Capture screen showing pair counts. 


Capture With Individual Counts 


Individual counts (Figure 2-29) work in much the same way as pair counts. The 
analyzer adds an entry to the screen for each station that transmits, in the order 
encountered. Because these entries record the sender but not the destination, fewer 
total entries are required, and each takes less space. So the screen has room for a 
greater number of entries. As with pair counts, the analyzer adds entries until all 
positions on the screen are filled. (If you have an external monitor with a larger 
screen, you can display more entries.) Then it continues to update the grand totals 
and the counts for the entries on screen, but does not record details of stations that 
aren't on screen. 
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CAPTURING Number of frames from the station 01:26:24 
Mktg_@ Carol Manuf 
SERVER Sys 1 Kristen C L Poda 1 45 
Cathy Atlantis Sun Kate 7 
SUPERVISOR 1 Term Servert NwkGn1020067 SiRRsI 
Kirk PRINT Sniff 2 FRR 
Jay RND Server 
Dale TS James #2 
atthew 2 Len 
Shauna Valerie 
Bruce Doug 
Unknown 9 . Dwarfs 
Renita Chris 
Kent Sparta SUN 
Matthew 1 Car] 
SUPERVISOR 2 David 
Karen James 
123040 Good 1 Fragments 0 Misaligned 0 Bad CRC 0 Lost 
123041 Frames accepted 31421 Kbytes accepted 100% Buffer utilization 
t | 
il 10 100 300 1000 3000 
Frames per second 
4 Clear 10 Stop 
screen Pausefm™capture 


Figure 2-29. LAN capture screen showing individual counts. 


Matrix Display of Individual Counts 
on ARCNET or LocalTalk 


ARCNET and LocalTalk use one-byte DLC addresses, so there are exactly 256 
possible addresses. On those networks, you can elect to display individual counts 
in a matrix of 16 rows and 16 columns, labeled 0 through F (Figure 2-30). For 
example, the count of traffic from station 3C is in the cell at row 3, column C. On 
the matrix display, there isn’t room for symbolic names. 
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CAPTURING Number of frames from the station 13 stns 00:02:47 
pei Sand rae eee a eet eee. 
: 195 
tis eee Oe eae ae 
a 
: ; 183 3 184 
53 ; 


Ce Dk Se eee 
1335 frames accepted. 11% butter used. 


| 
10 30 1000 3000 


Q CRC Errors rames per second 0 Lost frames 
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il 3 Data 94 Clear 6Captur 
Help display™ screen options capture 
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Figure 2-30. Matrix tabulation of traffic by LocalTalk source address. 


ARCNET Probe During Matrix Display 


On ARCNET, during capture with matrix display of individual counts, pressing F2 
activates the network probe (Figure 2-31). This causes the analyzer to pause capture 


momentarily while it sends a “probe” request to every one of the 255 possible 


sources. The probe causes each active station to echo a confirmation that it is alive. 


The result of this poll is displayed as an entry for each position in the matrix, as 
follows: 


New The station did not previously appear in the tally of frames by source but 


did respond to the probe. 
Gone The station was previously there but did not respond to the probe. 


n Anumber indicates a station that was already known to be there. (The 


number 0 indicates a station from which no frames have been observed but 


had responded to an earlier probe). 


A dot serves as a place holder representing an address that has neither 
transmitted nor responded to the probe. 
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CAPTURING Number of frames from the station 7 stns 00:01:07 
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Figure 2-31. Display following an ARCNET probe network command. 


During capture from a file, pressing F2 does not poll the network. Instead, it writes 
Gone in each cell that isn’t empty, and resumes counting by source from 0. 


The entry labeled stns in the top row records the number of different stations 
heard from since the last probe, whether or not they are still on the network. The 
totals below the column labels are for the entire capture session, not just the 
portion since the last probe. 


Caution. The network probe sends each possible station a one-byte frame 
containing the Datapoint-assigned system code for testing (hex 80). Although the 
NIC at each receiving station should respond to the test, its software should ignore 
the test frames. If any of the stations is unable to discard test frames without ill 
effect, you should not use the network probe. 


Capture with Frame Counts on a Synchronous WAN 


Counters.On a synchronous link, the metering screen during capture is divided 
into three zones (see Figure 2-32). On the left there are counters showing either 
frames or kilobytes for each of twelve HDLC types, totaled separately by direction 
(from DTE and from DCE). 


X.25 or SNA. The center zone has counters showing either frames or kilobytes at 
the next protocol level, either X.25 or SNA (according to your choice in the frame 
type item in the options menu). Since only information frames have SNA or X.25 
content, the total number of frames in the center panel may be lower than the total 
in the left panel. 


(Rework ie 
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Logical calls. In the third zone, the analyzer builds a table of logical calls, in the 
order encountered in the traffic. Each call is identified by its LCN and by its call 
address (if known). The LCN is composed of a logical channel group number and 
logical channel number. 


A column at the right shows whether each call originated from DTE or from DCE. 
For each call, the analyzer tabulates traffic on that connection in each direction. 


The LCN table is open ended, depending on the number of calls identified while 
capture continues. When the number of calls becomes larger than the number of 
lines allocated in the viewing window, you can scroll the list by pressing the 
Cursor Up or Cursor Down keys, or F7 or F8. 


Active vs. completed calls. The logical call table includes both calls that are still 
active and calls that have been completed. The counts for calls that are still active 
are highlighted. (In Figure 2-32 the counts 79 and 60 for LCN 014 are highlighted, 
indicating that the call is active, whereas those on the preceding and following 
rows are no longer active and hence not highlighted.) 


You may restrict the display to completed calls by pressing F2. Pressing F2 again 
restores the display to include all calls. Once a call has been completed, its logical 
call number may be reused, so the inactive calls may include multiple instances of 
the same LCN. 


Unknown LCN Addtess. A logical call’s address is contained in its first frame . If a 
call that began before the Sniffer analyzer started to capture, its LCN is known but 
not its address. The address for such a call is shown as a row of dashes. 
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Figure 2-32. WAN capture, with counts for HDLC, X.25 and logical call. 
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Names for Addresses. You can supply names for the source or destination of a 
logical call. The mechanism is the same as names for station addresses on a LAN 
(see page 138). The analyzer substitutes the name for the remote address (the 
source on a call from DCE, the destination on a call from DTE). Names addresses 


are visible in the right panel of Figure 2-32. 


Capture with Skylines 


A skyline is a real-time graph of traffic density. It shows a histogram that is 
updated by adding a new column at the right every second, minute, or hour, 
depending on the time scale you selected before you started capture. With the 
skyline (as with the table of counters), you also get a count of total frames, but no 
other itemization. 


10 Stop 
Pausem™capture| 


Figure 2-33. Skyline display on a local area network 
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On the analyzer’s built-in display, a skyline shows two graphs, one above the 
other, with a common horizontal time scale. (When you have a larger external 
display, you can have more than two graphs, as explained in the next section.) On 
a LAN (Figure 2-33), the upper histogram shows either the number of frames or 
the number of kilobytes transmitted during the interval, according to your choice 
of units in the capture menu. The lower shows the number of stations active 
during the interval. On a synchronous link (Figure 2-34), the upper histogram 
shows traffic from DTE, while the lower histogram shows traffic from DCE. 


{{Network)| 73 
|| General || 


Sniffer Network Analyzer Operations Manual 


CAPTURIN 00:03:34 
pe oe fe Pe eye kh Aer i Ga he 1G kk Ae w]e ee 


raw 


TRIS TUSr TDIR 
12147 frames accepted. 


5 20 


| 1 | 
| 
350 0 5 2 100 30 


100 


i 
Frames per second 
2se lect 4 Clear Scalegio Scalell7 View §8 View —f9 0 New 
display screeng§ up Down earlier later § Pause ficapture 


Figure 2-34. Skyline display on a WAN synchronous link. 


—— 


You can have the vertical axes calibrated on either a linear or a logarithmic scale, as 
you request in the capture menu. Whichever you choose applies to all the 
histograms. 


You can also adjust the scale of each vertical axis independently. Pressing F5 
(labeled scale up) gives you taller bars (on a smaller range), while pressing F6 does 
the reverse. You can press either of these while collection proceeds. 


The scale up or scale down keys affect only one of the skylines at a time. The one 
affected is the one for which the label on the vertical axis is highlighted. In Figures 
2-33 or 2-34, the word frames that labels the upper skyline appears in bold (or ina 
contrasting color on an external color monitor) to indicate that the upper skyline is 
active and will respond to scale up or scale down, whereas on the lower skyline 
the label #stns is not. 


To move the highlight (and the effect of F5 and F6) from one skyline to the other, 
press F2 or the Tab key. 


Additional Histograms on a Larger Screen 


If you're using a high-resolution external monitor, or you've used SniffMaster I to 
give the Sniffer analyzer a larger window, your screen may have more than the 
minimum 25 rows and 80 columns. If you use a larger screen, the Sniffer analyzer 
automatically expands its displays to take advantage of the additional space. (This 
is not an option, but an automatic consequence of a larger display.) For counters or 
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scrollable fields, you see a wider or taller expanse of the same material. However, 
when you display skylines, the analyzer includes some additional histograms. 


For Ethernet, StarLAN, or PC Network, as the size available for display increases, 
the total number of skylines may reach a maximum of five histograms. On token 
ring or a synchronous link, there isn’t quite as much information available, so the 
maximum is four histograms. The contents of the various histograms are listed in 
Figure 2-35. The notation “Frames or Kbytes” with an asterisk means that you get 
either the number of frames or the number of kilobytes, depending on your choice 
of units in the capture menu (page 62). 


Number of Ethernet, 
histograms StarLAN, . 
L PC Network Token ring WAN/Synchronous 
1. Frames or Kbytes* | 1. DTE Frames or Kbytes* 
2 
2. Number of stations 2. DCE Frames or Kbytes* 
1, Frames or Kbytes* ] 1. DTE Frames 
3 
2. Broadcasts 2. DCE Frames 
3. Number of stations | 3. DTE Bytes 
1. Kbytes 1. DTE Frames 
4 
2. Frames 2. DCE Frames 
2. Broadcasts 3. DTE Bytes 
4. Number of stations 4. DCE Bytes 
1. Kbytes 
5 
2. Frames (No more than four skylines) 
3. Broadcasts 
4, Errors 
5. Number of 
stations | 
*According to your choice in the capture menu. 


Figure 2-35. Content of the various skylines as screen size increases,. 
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Chapter 3. Network-Specific Testing 


Chapter Overview 


For certain networks, the Sniffer network analyzer is able to make tests or record 
data that are specific to that network’s transmission medium, topology or 
conventions. This chapter describes two network-specific tests: the Ethernet cable 
tester and the ARCNET token timer. 


The Ethernet Cable Tester 


For Ethernet, the Sniffer analyzer provides a cable tester: a means to check and 
report cable faults. The main menu includes an option labeled cable tester (Figure 
3-1). The cable test uses the network interface card as a time-domain reflectometer. 
During the test, the analyzer repeatedly emits a pulse and listens for the echo 
characteristic of certain types of faults. 


Network | 
General | | 
—d 


Cable Tester 
Ethernet Sniffer Traffic Generator # 
| Capture filters | 
Version 3.00 Trigger 
| Capture ¢€ 
(C) Copyright Display < 
1986 - 1990 | Files 


Morey 
Test the cable for short or opens. 


Use the arrow keys to move, or ENTER to do this function 


10 New 
Help capture 


Figure 3-1. Item for cable testing in the main menu of the Ethernet analyzer. 


The cable test runs continuously until you terminate it by pressing Esc. While the 
test is running, the analyzer does not perform any of its other functions. 


As long as the tester is active, the Sniffer analyzer continuously updates the 
display so that it always shows the cable’s current status. As long as it detects no 
fault, it displays the message No cable fault found. 


The analyzer can detect a cable fault located between its adapter and the 
transceiver that connects it to the network. It can also detect an open line or a short 
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in the network cabling beyond the transceiver (Figures 3-2 and 3-3). The Sniffer 
analyzer cannot test for faults, open lines, or shorts on cable segments separated by 
a bridge or repeater from the segment on which it is located. 


Inferring Distance from Time 


To locate a fault, the Sniffer analyzer notes the interval between its test pulse and 
the echo that the fault generates. It reports this time in nanoseconds with a 
resolution of about +50 nanoseconds. To estimate the probable distance, it divides 
the time by an estimate of the speed at which the signal propagates through the 
cable. The actual speed varies not only with the type of cable but also several other 
factors, including the type of transceivers and connectors, and variations in the 
network’s layout. 


The analyzer computes two estimates of the distance to the fault. It bases one 
estimate on the average propagation speed through standard Ethernet cable, which 
it assumes is about 0.79c. (The constant c represents the speed of light in a vacuum, 
about 0.3 meters per nanosecond.) It bases the other on the average propagation 
speed through thin cable (“Cheapernet”), which it assumes to be about 0.66c. These 
calculations have no way to allow for variations introduced by the actual 
conditions on a specific network. 


jCABLE TEST 


Cable open at 150 nanoseconds 


117' (35 MN) of Ethernet, 96" (29 M) of Cheapernet 
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Figure 3-2. The Ethernet analyzer’s report of an open cable. 


Since the resolution of the device producing the timings is to the nearest multiple 
of 50 nanoseconds, the estimate of distance would have an inherent uncertainty of 
+10-12 meters, even if the propagation speed for the segment involved were 
known precisely. In practice, there is uncertainty about the average propagation 
speed for the network as a whole and uncertainty about the specific part 
generating the signal. Also, it may be difficult to know the actual lengths of the 
cables when they’re concealed behind furniture, in the walls, above the ceiling, 
and so on. Nevertheless, even an uncertain estimate of distance may serve to 
bracket a range in which the trouble probably lies, and to rule out portions of the 
network at grossly different distances. 
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gCABLE TEST: 


Cable short at 650 nanoseconds 


ol 
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154 M) of Ethernet, 416' (126 M) of Cheapernet 


Press ESC to stop 


Figure 3-3. The Ethernet analyzer’s report of a short. 


To help you interpret the Sniffer analyzer’s reports when you really need them, it 
may be useful to run some calibration tests in advance. Deliberately introduce 
faults at various known locations. For example, disconnect a cable and leave it 
without a terminator while you run the cable tester. Note the time and distance 
that the Sniffer analyzer reports. Note how the report varies during other normal 
changes (for example, adding or removing a station). Save a table of your 
observations so you can compare them to the reports you get when the Sniffer 
analyzer finds a real fault. 


Limitations of the Cable Tester 


* The Sniffer analyzer readily detects an open line and produces a steady diagnostic 
display. The reflection characteristic of a short circuit between the center conductor 
and ground is harder to discriminate from a normal signal and so the analyzer 
sometimes misses it. 


* Certain intermittent defects can produce a jittering display. As it continuously 
updates the display, the Sniffer analyzer may assign different diagnoses to a 
continuously changing situation. 


* Whena collision anywhere on the network coincides with a test pulse, the 
resulting signal is similar to the pattern produced by an open line. However, a 
collision produces no more than a momentary flicker. 


* Transceivers vary in the way they transmit the test pulse and its echo. This 
variation in turn produces variation in the behavior of the cable tester. Most 
transceivers produce useful results, but some do not. 


* The procedure for converting time estimates to distance is subject to numerous 
unpredictable sources of variation. 
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ARCNET Token Timer 


If you have an ARCNET Sniffer analyzer, the main menu includes an entry for the 
token timer. When you move the highlight to token timer, the analyzer monitors 
the network’s performance by timing each round trip of the token. The Sniffer 
analyzer updates the display continuously to show the most recent time in 
milliseconds. It also shows a horizontal bar graph depicting the current time and 
the longest time encountered (Figure 3-4). 


plOKEN TINER 


Round-trip token time is 1.83 milliseconds 


Press ESC to stop 


0 2 4 


Milliseconds 
1 
Help 


Figure 3-4. The token timer display on ARCNET models of the Sniffer analyzer. 
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The round trip token time is a measure of how long a station must wait for an 
opportunity to transmit. On an idle network, the token moves from one station to 
the next in about 35 microseconds, plus the additional delays introduced by the 
cable and the transit times through the hubs. Each station that transmits a frame 
delays the token by an additional amount that varies from about 140 microseconds 
for a short frame, up to about 2.4 milliseconds for a long frame. 


For more information on the architecture of ARCN ET, see the relevant section of 
the Network and Protocol Reference. 
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Chapter Overview 


Setting Up 


The Traffic Generator is part of the Sniffer network analyzer for all networks except 
WAN/ Synchronous and LocalTalk.1 


The traffic generator permits you to load the network with background traffic 
messages sent from your analyzer. You might do that to observe how other 
stations respond to delays introduced by a large volume of unrelated traffic, or to 
test the response of an individual station to heavy traffic of a particular type or 
directed to it, or to test the action of gateways and bridges. 


Transmissions generated by the traffic generator always obey the network's 
normal rules for collision avoidance. For CSMA/CD networks, (including 
Ethernet, StarLAN and PC Network) that means using the standard collision- 
detection and back-off algorithms. For token-passing networks (including 
ARCNET and token ring) it means waiting for a free token and following the 
appropriate low-level transmission protocol. 


The traffic generator sends the same frame repeatedly (except that it inserts a 
counter in the frame’s data field). You can specify the total length of the frame, the 
interval between frames, and (on a LAN) the destination address. You can also 
specify the content of the first thirty-two bytes. By specifying them appropriately, 
you can generate frames that appear to the recipient to have a particular SAP or 
Ethertype, or frames to which no station should respond. 


Figure 4-1 shows the main menu panel from which you select the traffic 
generator. Pressing Enter at any of the options with # opens a dialog box in which 
you supply a value or select a destination. Before you start generating, you may set 
the destination, size, delay, number of frames to be sent, and the content of the 
data field.2 


On LocalTalk, it seems meaningless to repeat the same transmission. Every transmission of data is preceded by a 
request-to-send and a specific clear-to-send. No legal transmission (other than a broadcast poll) can be formed by 
repeatedly transmitting the same frame. 


2 On the token ring analyzer, you can generate traffic only at the rate set for capture; that is, you can’t transmit at the 


“wrong” speed. 
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Destination 


Traffic Generator 4 To <all stations> .a 


Capture filters 


Trigger Size = 1000 ¢ 
Capture <4 
Display 4 Delay = 10.00 < 
Files Frames = INFINITE # 
Options Data = 00000000...4 
Exit < 

Transmit to data terminal equipment 


You can choose the transmission speed 
Press ENTER to change the value 


Figure 4-1. The traffic generator menu. 


For local area networks, the traffic generator menu includes the frames’ 
destination address. In the center of Figure 4-lyou can see that it says To <all 
stations>, which is the default. The destination must be a DLC-level address. 


To change the destination, move the highlight to that item and press Enter. The 
Sniffer analyzer opens a dialog box showing all the DLC addresses in the 
analyzer’s working name table. Select the one you want and press Enter. For 
example, if you select an address whose name is James, the menu item now says 
To James <€. If you select an address that has no symbolic equivalent (for example, 
IBM 002FEB), the menu item then says To IBM 002FEB. 


If you want to send to an address that isn’t on the name list, amend the list by 
selecting new station (on the top row). Selecting new station opens a pair of dialog 
boxes, one for the new address and another for its name. 


On ARCNET only: You can’t address traffic to a specific but non-existent station. 
Whenever you address a frame to a specific station, the analyzer first verifies that 
there really is a station with that address. (That’s standard procedure for all 
transmissions on ARCNET.) If the analyzer receives no confirmation from the 
addressee, the analyzer reports Message not acknowledged — receiver may not exist and 
terminates the attempt to generate frames. 


Group destination. You may choose a broadcast address rather than the address of 
a specific station. Depending on the network, there may also be various classes of 
group address. 
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Size 


Delay 


Frames 


The size option sets the total length of the frame to be generated, in bytes. The 
minimum and maximum permissible lengths depend upon the network, as shown 
in Figure 4-2. 


Ethernet | StarLAN Pe ARCNET Token ring 
Network 
Min (bytes) 12 12 12 | 5 | 18 
Max (bytes) 1514 | 1514 2180 512 4Mbps 16 Mbps 
4458 17954 


| 
Figure 4-2. Size of frames the traffic generator can send, by network. 


On Ethernet or StarLAN, the length of the smallest valid frame is 60 bytes. Shorter 
frames occur as collision fragments, but the Sniffer analyzer is capable of 
generating them. If you specify a length less than 60 bytes, you will see a warning 
that other stations may sense these as collision fragments and report them as 
network errors 


The delay option sets the minimum interval between the end of one frame and the 
start of the next. (The actual delay may be longer if the analyzer has to wait while 
other stations transmit.) Pressing Enter while the highlight is on delay causes the 
analyzer to open a dialog box in which you write the number of milliseconds you 
want. The dialog box shows you the minimum and maximum values you can 
enter. They depend on the network, as shown in Figure 4-3. 


: 
Ethernet | StarLAN PC ARCNET | Token ring 
Network 
Pela 0.04 0.04 0.20 2.0 1.0 
milliseconds | 1999 1000 | 1000 1000 | 1000 


Figure 4-3. Interval between consecutive frames sent by the traffic generator, by network. 


The frames option sets the number of frames to be sent. Pressing Enter while the 
highlight is on frames cause the analyzer to open a dialog box in which you write 
the number you want. You can set any value between 1 and 999999999 or write 0 
for INFINITE, which means that the analyzer keeps transmitting frames until you 
press Esc to stop it. That’s the default. 
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Data 


RI option. On a token ring network, in addition to its DLC source and destination, 
a frame may include source routing information. The field containing this 
information is usually called RI, for “routing information.” 


The IEEE 802.2 standard does not mention RI. IBM introduced source routing on 
token ring networks, and that remains the context in which it is most frequently 
found. In principle, source routing information can be used not just on token ring 
but on any LAN that uses 6-byte station addresses, including Ethernet, StarLAN, 
or PC Network. All the Sniffer analyzer’s RI-related features are present for all 
these networks. 


RI is a variable-length field inserted after the DLC destination and source and before 
the frame’s usual data. Thus, when a frame contains an RI field, the other data is 
displaced by the total length of the RI field. (To allow for the varying size of the RI 
field, the Sniffer analyzer permits you to describe a pattern by either its frame- or 
its data-relative offset; see page 53.) 


The RI field contains an identifier for each of the gateways that forwarded the 
frame. As it retransmits a frame, each gateway appends its own 2-byte identifier! 
to the RI field. By this means, the ultimate recipient has a record of all the gateways 
that forwarded the frame. 


To request that each gateway insert a record of itself, the originating station turns 
on a bit within the source address, referred to as the RI bit. (If this bit were in the 
destination address, it would indicate a broadcast address. It’s the high-order bit on 
token ring, the low-order bit elsewhere.) Turning on the RI bit instructs each 
station that receives the frame to interpret the first two data bytes as the RI header, 
perhaps followed by a list of gateway identifiers. 


The originating station sets up the RI header. Five bits in the RI header record the 
total length of the RI field (including the header). Initially, when no gateway has 
yet forwarded the frame, the total length of the RI field is 2 bytes. Each gateway 
that forwards the frame appends its own 2-byte identifier to the list of gateways 
and increases the RI length by 2. 


If you elect to generate frames with the RI bit turned on, it’s your responsibility to 
include a consistent RI header at the beginning of the data you specify. 


To indicate that you want the generated frames to include RI information, from 
data = move rightward to RI present. The default is no routing information, 
indicated in the options menu by: 


X RI present 


The identifier is composed of a 12-bit ring number and a 4-bit bridge number. These are arbitrary numbers 
assigned by the network administrators. The RI identifier is unrelated to the bridge’s station address. 
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By moving the highlight to this item and pressing Spacebar you reverse the X 
(inactive) to Y (active). In the DLC source field of each frame it generates, the 
analyzer modifies its own address to include the bit that means RI present. 


The data field in all networks. The effects of specifying the first 32 bytes of data are 
summarized for various networks in Figure 4-4. 


Ethernet, StarLAN 
or PC Network 


ARCNET 


Token ring 


The hex characters you write 
specify the first 32 data bytes, 
that is, those that follow the 6- 
byte destination and 6-byte 
source address. If you checked 
the RI option, the variable-length 
source routing information 
follows the first 2 bytes of user- 
settable data. 


Interpretation of the first 2 data 
bytes depends on whether you 
generate Ethertype or IEEE 802.3 
frames (see Figure 4-5). In 802.3 
format, first 2 bytes are the 802.2 
length, followed by the variable- 
length RI field, followed by the 
802.2 header. In Ethertype 
frames, the first 2 data bytes are 


the Ethertype. For example, 0800 | Novell NetWare bytes indicating the type of 
identifies the IP Ethertype, while | is FA. transmission. 
{ 0600 identifies XNS. 


The hex charac- 
ters you write 
specify the first 
32 data bytes, 
that is, those that 
follow the 1-byte 
source, 1-byte 
destination, and 
the bytes used to 
encode the 
frame’s length. 


The first of the 
data bytes is the 
ARCNET system 
code assigned by 
Datapoint. For 
example, the 
system code for 


The hex characters you 
write specify the first 32 
data bytes, that is, those 
that follow the 1-byte 
access control, 1-byte frame 
control, 6-byte destination 
and 6-byte source address. 
If you checked the RI 
option, the first of your 32 
bytes contain the source 
routing information. 


The first data byte 
(following the RI 
information, if any) 
identifies the destination 
SAP, and the second the 
source SAP. The next one 
or two bytes are control 


Figure 4-4. Location of the specifiable data in a generated frame, by network. 


Based on 


Ethertype | Destination 


Automatic | Controlled by what you specify for the first 32 bytes 
TO <XXXXXX> 


Etype RI 


Data 


Source 
6 bytes 6 bytes 


Destination 


0-32 bytes 


RI 


Remainder... 


802.2 header Data 


6 bytes 


Source 
6 bytes 


Figure 4-5. Data for Ethertype and IEEE 802.3 frames with RI on Ethernet. 


0-32 bytes 


3—4 bytes Remainder... 
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Starting the Traffic Generator 


To start the traffic generator, after you've specified the various parameters, move 
the highlight to traffic generator and press Enter. The analyzer displays a screen 
like that shown in Figure 4-6. While the Sniffer analyzer is generating traffic, it 
can’t perform any of its other functions as an analyzer (but it does continue to play 
a normal role on the network). 


pIRAFFIC GENERATOR 


Sending frame 9461... 


Press ESC to stop 


| +f + 
200 400 600 800 1000 
Frames per second from this station 


ot 


| | | —+ 
400 800 1200 1600 200 
Kbytes per second from this station 


Figure 4-6. Screen visible while a token ring analyzer (at 4 Mbps) is generating frames. 


Sequence Numbers 


Each frame transmitted by the Sniffer analyzer’s traffic generator contains a 
sequence number. Each time you start the traffic generator, the sequence numbers 
start at 1. The frame’s last four bytes contain the sequence number. If the last four 
bytes overlap the first 32 data bytes, the sequence number overwrites some of the 
data you specified for the first 32 bytes. 


In Figure 4-7 you can see the frame number. It is encoded as a 32-bit unsigned 
integer, with the high-order bytes first. Thus, the decimal frame number that 
appears in Figure 4-6 as 9461 appears in the hex display (Figure 4-7) as 00 00 24 F5. 


Format of the Transmitted Frame 


The format depends, of course, on the network. Each LAN frame starts with a 
header and DLC addresses appropriate to the network. Figure 4-7 shows the 
token ring frame whose transmission was noted in Figure 4-6, after it has been 
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captured by another Sniffer analyzer. (Ona different network, the frame would 
differ slightly, but would have the same general appearance.) 


The first two bytes are the AC and FC bytes of the standard DLC header, visible in 
the hex view as the characters 18 40. 


Six bytes of destination address follow (in this case, CO 00 FF FF FF FF, which 
means “Broadcast”). Then there are 6 bytes of source address (in this example, 40 
00 65 01 00 01, which was the address of the sending analyzer). 


Then come the 32 bytes elected in the panel that generated the traffic. In the frame 
shown in Figure 4-7, the data starts with 00 00 03 00 .... 00 (On token ring, that’s the 
analyzer’s default.) In the detail view, the analyzer interprets the frame. The DSAP 
and SSAP fields are both 00. Since those do not match any protocol known to the 
analyzer, it shows the protocol as ???. The analyzer interprets the first 4 bytes as 
UI, and attaches the explanatory text “Unnumbered information.” In the hex view, 
the first 3 of those 4 bytes appear highlighted. (The fourth isn’t highlighted because 
the preceding bytes are sufficient to identify the UI command, and the protocol 
interpreter knows that UI makes no use of the fourth byte.) 


rSUMMARY——Delta t——DST SRC 
b cast <A Sniffer 22? DSAP=00 UL frame, 23 bytes 
34 0.005 Broadcast «A Snitier 2) DSAP=00 UL frame, 23 bytes 
35 0.005 Broadcast «A Sniffer 22? DSAP=00 UI frame, 23 bytes 
36 0.005 Broadcast <A Sniffer 27? DSAP=00 UI frame, 23 bytes 
37 0.005 Broadcast «A Sniffer 27? DSAP=00 UI frame, 23 bytes 


Frame 33 of 247 


rHEX ASCII 
0000 18 40 CO OO FF FF FF FF 40 00 65 01 00 01) @) .@..... He ais & 
0010 00 00 00 00 00 00 00 000000 0000 0000 00 @.............. 
0020 0000 00°00:00 00 24 Fo a $. 


Use TAB to select windows 

6Displyg/ Prev §8 Next 10 New 
Helpam mark in Menusfimmoptions™ frame § frame capture 
J 


Figure 4-7. A token ring frame generated by one Sniffer analyzer and captured by another. 


Following the 30-byte header, the rest of the frame consists of as many repetitions 
of hex 00 as necessary to fill out the total length you requested. The sequence 
number occupies the last 4 bytes. (In Figure 4-7, the sequence number is the 
characters 00 00 24 F5 at the end of the frame’s data field). 
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Chapter 5. Displaying and Interpreting Frames 


Chapter Overview 


This chapter describes the various ways you can display and analyze the frames 
that you’ve captured. (The Sniffer analyzer also provides real-time monitoring. 
Displays visible while the analyzer is capturing are described in Chapter 4. 
Displays produced by the Sniffer Network Monitor are described in the Sniffer 
Network Monitor Installation and Operations Manual.) 


Role of the Capture Buffer 


For the Sniffer analyzer to display or interpret them, frames must be in the capture 
buffer. If you’ve just completed a capture session, the frames you captured are in 
the buffer. You can start displaying them. 


Alternatively, you can load the capture buffer from a file of frames captured 
earlier. When you load the capture buffer from a file, frames from the file replace 
those in the buffer. If the buffer now contains frames that you haven't saved and 
don’t want to lose, save them to a file before loading the buffer with a new set. To 
save the current contents of the capture buffer to a file, or to load a saved file into 
the capture buffer, start from the files menu; see page 142. 


To manage how frames are viewed, or to look at particular frames within the 
capture buffer, start from the display branch of the main menu (see Figure 5-1, 
page 96). 
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Display Menu Overview 


The display menu first offers you your choice of four ways to view the captured 
frames. The options are: 


Summary 
Detail 
Hex 


Two viewports 


You can see those options in the right panel of Figure 5-1. (The figure shows the 
screen of an Ethernet analyzer, but the display choices are the same for all 
networks. “Manage names” would ordinarily fall below the lower edge of the 
panel, and wouldn’t become visible until you scroll down.) The options are not 
mutually exclusive; you can check any combination of them. By default, summary 
is initially selected and the others are not. Each view is described later in this 
chapter. 


pMENUS 
Cable Tester < 
Traffic Generator # 
Capture filters 
Trigger 
Capture < 
/ Summary 
Ethernet Sniffer Files | x Detail 
Options x Hex 
Version 3.00 Exit | x Two viewports 
| 
(C) Copyright Filters 
1986 - 1990 | Print ¢ 
| Manage names 


Display collected data. 


Use the arrow keys to move, or ENTER to do this function 


0 New 
Help capture 
\ 


Figure 5-1. The display menu and its branches. 


The menu also offers a choice of filters to select frames for display, a print option 
for reports on selected frames, and an option to manage names to make displays 
more readable. You can see these choices in the lower portion of the right panel in 
Figure 5-1. 
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Once you've selected your display options, press F3 to view the data in the 
capture buffer. (Alternatively, move the highlight back to display and press Enter.) 
The sections that follow describe the effects of the various display options. 


Setting the Display Filters 


Either before you start display, or as display proceeds, you can establish a display 
filter. Your display filter limits display to a subset of the frames in the capture 
buffer. Filtering doesn’t remove frames from the buffer, but omits them from the 
display. When some frames are skipped, the frames that remain visible have the 
same frame numbers as before. Thus, you may see frame 30 followed by frame 35 
because the display filter excludes frames 31-34. 


When you save the contents of the capture buffer to a file, you may choose to save 
all frames (regardless of the display filter) or just the frames that the filter accepts. 


It’s easiest to set up a display filter and to select your initial form of display before 
you actually start displaying frames on the screen. However, it’s not hard to alter 
your filters or your display options after you've started the display. To change 
filters or display options, press F6, display options. That opens a temporary panel, 
superimposed on your current display. (See Function Keys Available During Display, 


page nn.) 


You can see the display filters submenu in Figure 5-2. (The figure includes frame 
quality options that are available only on Ethernet, StarLAN or PC Network.) 


3 


Cable Tester €| y Summary 
Traffic Generator €| x Detail 
Capture filters x Hex 
Trigger x Two viewports Address level 
Capture < Address filter 
Display cS 
Files } Print €| = Pattern Match 
Options Manage names | 
Exit < J Good frames 
/ Bad CRC frames 
J Fragments 
J Bad alignment 


Setup filters for frames to be displayed. 


Use the arrow keys to move around in the menu 


3 Data 
Help display, capture 


Figure 5-2. The display filters menu. 
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Criteria for Filtering 


The display filter permits the Sniffer analyzer to display a frame that meets all of 
the following criteria: 


Address level. The frame contains an address in one of the indicated protocols. 


Destination class. The frame contains a DLC address in the indicated class (such 
as broadcast or specific). 


Station address. The frame contains any of up to four specific addresses at any of 
the levels selected by the address level filter. 


Protocol. The frame contains one or more of the protocols marked with av. 
Pattern. The frame contains the logical combination of patterns you specified. 


Frame defects. (on Ethernet, StarLAN and PC Network only). The frame exhibits: 


No errors 
Bad CRC 
Fragment 
Bad alignment 


—as you place a ¥ beside the categories you want included in the display. 


Address Level Filter 


Every frame contains both the address of the station from which it just came and 
the address of the station that is its immediate destination. These addresses are in 
the frame’s lowest level, usually DLC. Frequently a frame contains other addresses 
as well. For example, it may contain the address of the original source and the 
address of the ultimate destination. The data field of a lower-level frame thus may 
includes a message written in a higher-level protocol, with its own source and 
destination, written according to that protocol’s rules. 


This is almost certainly the case for all frames ona synchronous communications 
link, and also very likely when frames are being relayed through a gateway 
between LANs. At the DLC level, a frame’s source and destination may be the 
stations responsible for the current leg of its journey. Within the DLC frame, there 
may well be addresses in embedded protocols such as XNS, IP, X.400, and so on. 


When you set an address level filter, you put a ¥ beside one or more protocols in 
the panel to the right of address level. The filter accepts only those frames that are 
addressed in one of the protocols you’ve checked. To be included in the display, a 
frame must contain 


* A protocol from the indicated set of protocols 
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and 


« Anaddress in that protocol. 


Many protocols require that the frame include an address. But that is not universal. 
Where the protocol permits both addressed and unaddressed messages, an 
address level filter accepts a frame only when it actually contains an address. 


The Sniffer analyzer’s default address level filter has a check at the lowest level of 
protocol, but at none of the higher levels. Since every frame has a low-level 
address, the default accepts all frames. To limit the display, you must put a check 
mark beside the protocols you want and also remove the check mark from the 
lowest level. 


The summary view shows one address for each frame. When a frame contains 
multiple levels of address, the summary view shows the highest of the levels you 
checked in the address level filter. Thus, if you put check marks at the lowest level 
and at some higher levels, that choice cause the analyzer to accepts all frames but 
makes the summary display show higher-level addresses. 


Effect on displayed names. In the summary view, when the Sniffer analyzer 
displays a frame’s source and destination, it shows the address at the highest of the 
levels you checked in the address level filter. When the name table contains a 
symbolic equivalent for that address at that protocol level, the summary view 
shows the name instead of the numeric address. 


Effect on the name table. When you edit names (described starting at page 138), 
the name table includes an option to add a new station for each of the protocol 
levels checked in your address level filter. 


Address Filter 


An address filter is formed from some logical combination of up to four pairs of 
addresses. Address filters for display work just like address filters for capture, but 
with one important difference. During display, the addresses you specify can be at 
any of the levels that your protocol interpreters recognize. (By contrast, during 
capture a filter can consider only low-level addresses.) 


The procedure for setting an address filter for display is like the procedure for 
setting one for capture (described starting at page 43). However, there are a few 
additional points because during a display filter can include addresses at any level. 
To review, the procedure is as follows: 


1. In the display menu, select filters. 


2. Inthe filters menu, select station address. Here you may enter from one to 
four matches, each of which may contain a single address or a pair of addresses. 


3. Move the highlight to the first match. Initially, it has the name Match 1. (You 
can give a name to each of your four matches. The name has no effect on what 
the analyzer does. The match names just serve as mnemonic labels. To change 
the name Match 1, move the highlight to Match 1 and press Enter; see Figure 
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2-5, page 44. That opens a dialog box in which you can supply a name for this 
match.) 


From SERVER ¢ 
fHatch 1 To <any station» 
Maton 2 


Match 3 v Reverse direction 
Match 4 
Others nclude these 

cl 


Toy 


ude these 


1 10 New 
Help capture 


Figure 5-3. Menu from which you select a station address for the filter. 


4. To specify the address for your first match, move the highlight to the entry to 


the right of Match 1. Initially, it says From <any station>. Pressing Enter opens 
the working copy of the name table. To select an address for your filter, scroll 
to the line that contains the address you want and press Enter. The Sniffer 
analyzer copies the highlighted address into the slot labeled from. Instead of 
saying From <any station>, it now says From the address you selected. 


As you scroll through the name table, notice that it contains addresses at 
various levels (see Figure 5-4). Sometimes the same address may occur at more 
than one level. When you choose an address, it’s important to place the 
highlight on the address at the level you want. 
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ELECT STATION Leve]|==Addr 
<New station> DL 
<New station> IP 
<New station> XNS 
<Any station> XXXXXXXXXXXX 
DLC Intr 1n05924F 
XNS 02070105924F 
DLC NwkGn 1020056 
DLC NwkGn 1040004 
DLC Tntr 1n03E5C2 
ACCIG XNS 0005A3826EF 
Applelalk 120 ATALK 0.128 
AppleTalk 255 ATALK 0,255 
Athens TS IP [192. 42. 252. 25] 
Atlantis Sun DLC Sun 076A03 
Atlantis SUN TP [192. 42. 252. 20] 
BIZ-ONE XNS 100058122041 
Use | and t then press ENTER, or ESC to return. 
Help 


Figure 5-4. Dialog box in which to select a station address for display filters. It includes a 
new address entry for each protocol checked in the address level filter. 


Adding Entries to the Working Name Table 


If the address you want isn’t yet in the name table, you must first add it to the table 
and then select it. There are two ways to add new addresses: 


* Let the Sniffer analyzer scan the capture buffer and add new addresses 
automatically 


* Add the new addresses manually. 


Automatic scanning for new addresses. The easiest way to make sure that all 
addresses in the capture buffer are in the name table is to have the Sniffer analyzer 
scan the entire contents of the capture buffer. It does that automatically the first 
time you use display following capture (see page 135). 


Adding addresses manually. To write a new address into the name table, highlight 
the line that says <new station> for the address level you want, and press Enter. 
The name table contains a <new station> entry for each of the levels checked in the 
address level filter. If the name table lacks a <new station> entry for the level you 
want, probably you haven't yet checked that level in the address level filter. 
Return to the address level filter, adjust it appropriately, and then go back to 
defining your station address filter. 


Caution— unnamed addresses are transitory. The working name table lasts only 
until you exit the Sniffer analyzer. You can save the name table by selecting 
manage names and then save names. But that only saves addresses that have names. 
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Addresses that lack symbolic equivalents are dropped. Be sure you have assigned 
a name to each address you want to preserve. 


Protocol 


You can filter for frames that contain a protocol that interests you. Set a check mark 
beside the name of each protocol that you wish to include in the display. The filter 
displays a frame if it contains any of the protocols you check. 


During display, the Sniffer analyzer can filter for any protocol that its protocol 
interpreters recognize. (However, during capture, the analyzer filters only on the 
lowest-level protocols.) 


The procedure to mark protocols in the display filter is the same as the procedure 
to mark protocols in the capture filter (see the discussion starting at page 48). 
However, for display the list of possible protocols is longer. That’s because it 
includes any of the protocols interpreted by your protocol interpreter suites, and 
not just protocols at the DLC level. 


(A quick way to select only one protocol is as follows: Move the highlight to the 
one you want. Press Alt-Spacebar to change v to X for all protocols. Then press 
Spacebar to change X to ¥ for the protocol you've highlighted.) 


Pattern Match 


You can set a filter to accept frames that contain a set of patterns. The set may be 
built from a logical combination of up to eight component patterns. Each 
component pattern is a specific sequence of characters at a specific location (each 
described as hex, binary, or text). The procedure for specifying a set of patterns for 
the display filter is exactly the same as the procedure for specifying a set of 
patterns for the capture filter (see the discussion starting at page 49). The only 
difference is that for display patterns you highlight pattern match in the display 
filters menu rather than in the capture filters menu. 


Defective Frame 


On some networks, you can filter for the presence or absence of certain defects. 
This is possible only where the network interface card passes defective frames to 
the analyzer (Ethernet, StarLAN and PC Network). On these networks, the display 
filters menu includes four additional options. (They also appear in the capture 
filters menu.) The four are: 


Good frames (that is, frames having none of the following defects). 
Bad CRC frames. 
Fragments. 


Misaligned Frames. 
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You may check any combination of them. The analyzer displays a frame only when 
its type has a check mark beside it. 


Three Ways to View Frames 


There are three ways to view a frame. You can have just one view on the screen or 
any combination of the three. These views can be focused on a single frame in the 
capture buffer, or at two different frames. The three views are: 


* Summary view. A short form of the hexadecimal and detail listings condensed 
so that each level fits on a single line. You may elect to show all levels of 
interpretation or only each frame's highest level. 


* Detail view. The protocol is identified and standard fields within it are labeled 
and explained. Station addresses are replaced by their symbolic equivalents 
according to the address table you supplied in the default startup file (see page 
136 ff.). Since a low-level frame may contain higher-level frames within it, a 
single frame may require several levels of interpretation. 


* Hexadecimal view. All bytes of the entire frame are shown, accompanied by a 
transliteration to ASCII or EBCDIC characters. 


How the three views are positioned. When you have more than one view open, 
they’ re always in the same order. Summary is always above the others. Hex is 
always below the others. 


Dual Viewports 


In addition to these three views, you also have the option to split the screen 
vertically into two independent viewports. The two sides contain the same 
combination of summary, detail, and hex. Having two viewports permits you to 
scroll independently on the left and right sides of the screen. That way you can 
keep a frame in view on one side while on the other side you scroll forward or 
back to look for related frames. 


Zoom 


To get an enlargement of one of the views, press F4, Zoom in. The active view then 
occupies the entire area, temporarily concealing the others. To return to the multi- 
panel overview, press F4 again. 


Active Panel 


The view that contains the cursor is said to be active. The border of the active panel 
is shown intensified (brighter or in a contrasting color, depending on the monitor). 
The Tab key moves the highlight from one panel to the next, activating the panel 
in which it arrives. Shift Tab moves the highlight in the reverse direction. 
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The Summary View 


The summary view gives you a condensed view of your captured frames. Each is 
reduced to a single line or a few lines. The summary view is the only view that 
shows several frames at once. Although each frame is abbreviated and condensed, 
you can see at a glance the sequence and context of the frames. You can then 
examine individual frames in greater detail or skip over them. 


You have several choices on the summary submenu, visible in the right panel of 
Figure 5-5). (The figure shows more options than would appear in any single 
Sniffer analyzer’s screen. Token timer and the choice of hex or octal addresses 
occur only on ARCNET. Cable tester occurs only on Ethernet.) 


Token Timer < 
Cable Tester < Name width= 12 ¢ 
Traffic Generator € | 
Capture filters Pees addresses 
Trigger | | Octal addresses 
Capture < 
J / Highest level only 
Files x Detail x Two-station format 
Options x Hex 
Exit | x Two viewports | x Flags 
| x Absolute time 
Filters / Delta time 
Print ¢#) x Relative time 
Manage names x Bytes 


x Cumulative bytes 
xX NW Utilization 


I Show the summary interpretation of frames. 


Press space to select (v) or not select (x) this option 
il 8 Data 10 New 
Help display capture 


Figure 5-5. Options for the summary display. 


Names in the Summary View 


In the summary view, when the Sniffer analyzer knows a station’s name, it uses it. 
But when an address has no symbolic equivalent in the name table, the analyzer 
displays the station’s numeric address. In general, a numeric addresses is shown in 
the conventional format for its type. For example, a DLC addresses is shown in 
hexadecimal, but an IP addresses is shown as [n.n.n.n], and so on. 


On ARCNET or LocalTalk, a DLC address is just one byte, but on Ethernet. 
StarLAN, PC Network or token ring, each station’s DLC address contains 6 bytes. 
Six bytes can be written as 12 hexadecimal digits. That is the default width of the 


name field in the summary display for all Sniffer analyzers (regardless of network). 
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On ARCNET people sometimes show addresses in octal. On an ARCNET Sniffer 
analyzer you have the option to display addresses in octal rather than 
hexadecimal. 


Manufacturer IDs. Where the analyzer shows a 6-byte DLC address, it attempts to 
interpret the first three bytes as the name of the NIC’s manufacturer. When it is 
able to find the manufacturer’s code in its table of manufacturers, it replaces the 
first six characters of the station address with an ASCII abbreviation of the 
manufacturer’s name. (The file containing names for manufacturer IDs is named 
startup.xxi, where xx stands for the two-letter network abbreviation (TR, EN, etc.). 
It’s possible to edit the file to add or revise the codes and their abbreviations. See 
Chapter 7, Sniffer Files, starting at page 166.) 


Higher-level addresses. To have the analyzer use higher-level protocol addresses 
instead of DLC addresses, you must check the desired protocol levels in the 
address level filter; see page 98. 


Width of the Name Field 


You may change the width of the name field in the summary display. The name 
table permits names up to a maximum of 31 characters. If you use long names, you 
may want to make the name field wider to accommodate them. This may push 
some other fields off the screen, but you can always scroll sideways to see what's 
there. If you use an external screen, you may be able to display more rows or 
columns. The analyzer takes advantage of extra columns if they’re available. 


The name field’s smallest permissible width is six characters. When the display 
includes a name longer than the name field, the Sniffer analyzer truncates the 
name and replaces the last two visible characters with dots (to show that the name 
has been truncated). For example, if you squeeze the 10-character name FileServer 
into an 8-character field, it appears as FileSe. .(that is, six characters and two dots). 


Multiple Levels vs Highest-Level Only 


1 


You can toggle the option highest level only. That is, either it’s checked or it’s not 
checked. To switch from one to the other, move the highlight to highest level only 
and press the space bar. 


When highest level only is checked, the Sniffer analyzer’s summary view shows 
only one line for each frame, summarizing the highest-level protocol that the frame 
contains. 


When highest level only is not checked, the summary view shows a separate line 
for each protocol the frame contains!. On an external color monitor, the protocols 
are color-coded by level (see Figure 5-19, page 121). 


In X Windows, there is a separate line for each protocol of each message within the frame. 
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Two-Station Format 


Analysis often focuses on the interchange between a pair of stations. To make the 
dialog clearer, use filters to show those stations only and elect two station format. 
Two station format shows transmissions from one station on the left side of the 
screen, and transmissions from the other station on the right. An example is shown 
in Figure 5-6. (In this figure, the display is shown with highest level only turned 
off, so there is a separate line for each level of protocol.) 


rSUMMARY—Delta t-From Konig From Gateway P. 
9 0.3200 DLC Ethertype=0800, size-60 bytes 
IP D=(36.56.0.208] S=[36.53.0.181] LEN=21 ID=30706 
TCP D=23 S=1042 ACK=2930104833 SEQ=43117349 LEN=1 
Telnet C PORT=1042 <OB> 
6 0.0133 DLC Ethertype=0800, size=60 bytes 
TP D=[36.53.0.181] S=[36.56.0. 20 
| TCP D=1042 S=23 ACK=43117350 
7 0.0027 DLC Ethertype=0800, size=60 bytes 
IP D=[36.56.0.208] S=[36.53.0.181] LEN=20 ID=30707 
TCP D=23 S=1042 ACK=2930104833 
B (0.4132 DLC Ethertype=0800, size=66 bytes 
IP D=[36.53.0.181] S=[36.56. 0.20 
TCP D=1042 S=23 ACK=43117350 
Telnet R PORT=1042 <1B>I<1B>Y6k8< 
9 0.0027 DLC Ethertype=0800, size=60 bytes 
IP D=([36.56.0.208] S=[36.53. 0.181] LEN=20 ID=30708 
TCP D=23 S=1042 ACK=2930104844 
10 0.0030 DLC Ethertype=0800, size=60 bytes 
IP D=[36.56.0.208] S=[36.53.0.181] LEN=20 ID=30709 
TCP D=23 S$=1042 ACK=2930104844 


il 2 Set b 6Displyg? Prevails Next 10 New 
Help mark Menusimmoptions™ framefm™ frame capture 


Figure 5-6. Two station format for the summary view. 


In two station format, the source and destination fields are omitted. Instead, there 
are two columns, headed From XxX and From YyYy. A frame from the station on the 
left is assumed be addressed to the station on the right, and vice versa. 


Two-station format is a toggle option in the summary view. The default is not to 
have two-station format, indicated in the menu by: 


X¥ Two-station format 


By moving the highlight to this item and pressing Spacebar you reverse the X 
(inactive) to Y (active). 


Which Stations Appear in Two-Station Format. Two-station format is ordinarily 
employed with an address filter that excludes all other traffic. The source that 
appears earliest in the capture buffer is shown on the left, the source that appears 
second on the right. 
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Hints. To adjust the separation between the columns, change the width of the 
name field. To adjust the number of columns devoted to time displays, change 
your selection of time measurements (see Figure 5-7). To adjust the horizontal 
position of the display on screen, use the horizontal cursor position keys to scroll 
sideways 


Frames that don’t fit the two-station paradigm. If your display filter accepts 
frames from other sources or with other destinations, the analyzer displays the 
additional frames in the usual format. That is, for those frames the display uses the 
full width, and shows source and destination explicitly. Since this is inconsistent 
with the two-station format, it’s usually preferable to combine two-station format 
with a filter that excludes other traffic. 


Options to Show Time, Network Utilization, and Frame Size 


For every frame, the summary display permits you to include or omit various 
indicators of the time or the flow of data. The alternatives are listed in Figure 5-7 


and defined in Figure 5-9. 
Whether | Columns used 
Option Effect Required | (+ following 
blank) 
Flags | Widen flags field to 6 characters, to One col. No flags: 1 
allow for flags in addition to T and M. required | Flags: 6 
+ 
Frame Unique serial number for each frame in Required 5 (+1) 
number the buffer. ui 
ee | 
Absolute Time at which the frame was received. Optional. 14 (+1) 
time 
Delta Interval since the preceding displayed Optional. 9 (+1) 
time frame arrived. 
Relative Interval since the marked frame Optional. 9 (+1) 
time 
Bytes { Length of this frame. Optional. | 5 (+1) 
it 
Cumulative | Length of this frame and of all frames esti 6 (+1) 
bytes 1 between it and the marked frame. ae : 
Network Percentage of the network’s bandwidth sie 7 (+1) 
usage used by this frame and surrounding ; 
displayed frames. 


Figure 5-7. Displays at the left side of the summary view. 
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Flags Option 


The leftmost column of the summary display always contains the T or M flags. 
When you select the flags option, the field is widened from one column to six. 
Flags appear as letters of the alphabet, left-justified in the field. Flags defined by 
the Sniffer analyzer are shown in Figure 5-8. A custom protocol interpreter may 
also add its own flags (see Chapter 3 of Sniffer Network and Protocol Reference, 
entitled Extending and Customizing Sniffer Protocol Interpreters). 


M Mark. The reference frame for relative time or cumulative bytes. To set the mark 
on the current frame, press F2. 


Trigger. Marks the frame whose detection prompted the end of capture. 


A_ Alignment error (Ethernet, StarLAN, PC Network). Marks a frame that reached the 
network interface card with a number of bits not divisible by 8. Such a frame may 
arise when the sender detects a collision and aborts transmission. The NIC discards 
the trailing bits before passing the frame to the Sniffer analyzer. 


C CRC error (Ethernet, StarLAN, PC Network). Marks a frame whose CRC does not 
agree with the actual bytes received, suggesting that it contains invalid characters. 


L_ Lost frame (Ethernet, StarLAN, PC Network or ARCNET). Preceding the frame 
thus marked, one or more frames reached the network interface card but were lost 
before being passed to the Sniffer analyzer. 


R Reconfiguration (ARCNET). Preceding the frame thus marked, there was an 
ARCNET reconfiguration. The word RECON also appears in the frame’s detail 
view and at the right margin of a summary that shows the DLC level. 


Figure 5-8. Codes used in the flags field of the summary display. 


Measures of Time, Network Utilization, and Frame Size 


To examine a network’s throughput, you need data on the volume and timing of 
transmissions. In its summary display, the Sniffer analyzer provides several 
alternative measures of time and throughput, selectable to match the situation. You 
can include various combinations of these measures in the same display (see 
Figure 5-10, page 110). Additional measures require additional columns. This may 
push other parts of the display out of the visible portion of the window, but you 
can always scroll to see the portion thus concealed. The measures are listed in 
Figure 5-9. 
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Absolute 
time 


Delta time 


Relative 
time 


Bytes 


Cumulative 
Bytes 


Network 
Utilization 


When the Sniffer analyzer completes reception of a frame, it attaches a timestamp. 
The timestamp records the time according to the Sniffer analyzer’s internal clock 
at the moment the Sniffer analyzer recorded the end of the frame. All displays of 
time are computed from the absolute value recorded with each frame. Absolute 
time is displayed as hours, minutes, and seconds to the nearest millisecond (on 
the token ring), or to the nearest tenth of a millisecond (on networks other than 
token ring). That’s also how time is shown in the detail display. 


The time shown is the interval between the current frame’s timestamp and the 
timestamp of the preceding frame in the display. Delta time is shown with the 
same precision as absolute time. Note that because it’s the interval to the 
preceding displayed frame, frames that are not displayed don’t affect delta time. 


The time shown is the difference between the current frame’s timestamp and the 
timestamp of the reference frame. Relative time is shown with the same precision 
as absolute time. The reference frame is marked by the letter M to the left of the 
frame number. When you first display the buffer, the first frame is marked. You 
can mark a frame (thereby removing the mark from any other frame) by pressing 
F2 while you have the frame highlighted. Once you've marked a reference frame, 
you can find it quickly by the display option jump to mark (see page 127). 


The number shown is the total number of bytes in the frame, not including the 
CRC frame. 


The number shown is the sum of the lengths of the displayed frames, from the 
reference frame through the current frame (including both). When you haven't 
marked a reference frame, the analyzer counts from the first displayed frame. 


The number shown is an estimate of the percentage of the network’s bandwidth 
devoted to transmitting the displayed frame (and perhaps those preceding and 
following it). Basically, the measure is 


100 X bytes (including overhead) in all frames accepted during the interval 
theoretical maximum bytes that could be transmitted during the interval 


The interval is a time window centered around the frame.! You can set the size of 
the interval to 1, 10, 100 or 1000 milliseconds. For example, if you pick 100 
millisecond intervals, the utilization for a frame that arrived at 13:27:06.100 is 
based on the the number of bytes in frames whose arrival times ranged from 
13:27:06.050 to 13:27:06.150. 


Utilization is a moving average. With a small interval, you'll see larger . 
momentary fluctuations; a larger interval smooths them out. 


Figure 5-9. Descriptions of the optional displays for time, traffic, and density. 


Any measure of network utilization must be based on a time window, whether described explicitly or not. Viewed 
without window averaging, a network is always either 100% busy (when a frame is being transmitted) or 0% busy 
(when no frame is being transmitted). 
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Abs Time Delta T—Rel Time—Size-CumByt—DST SRC 

2112 12:22:43.8905 0.0509 -1.1000 182 36 Sun 07972C+Intr1n05 
2113 12:22:43, 902! 0.0927 -1.0072 60 654 IntrlnO58CB6+Sun 07 
2114 12:22:44.0108 0.0185 -0.9887 60 594 Broadcast +RND EN 
2115 12:22:44.7011 0.6903 -0.2084 60 534 RND EN +RND PS 
2116 12:22:44.7025 0.0013 -0.2070 106 474 RND PS +RND EN 
2117 12:22:44.7040 0.0015 -0.2054 66 368 RND EN +RND PS 
2118 12:22:44.7056 0.0015 -0.2030 88 302 RND PS «RND EN 
2119 12:22:44,7067 0.0010 -0.2028 66 214 RND EN +RND PS 
2120 12:22:44.7082 0.0014 -0.2013 88 148 RND PS «RND EN 
2 12:22:44. 9995 : Br DE 
2122 12:22:45.1040 0.1050 0.1050 24 314 Sun 07972C+IntrIn05 
2123 12:22:45.1919 0.0873 0.1923 60 374 Intrin058CB6+Sun 07 
2124 12:22:45.2500 0.0670 0.2504 182 556 Sun 07972C+Intrin05 
2125 12:22:45.3367 0.0777 0.3371 182 738 Sun 07972C+Intr1n05 

Tn 

R 

5 

ie 

K 


2126 12:22:45.3379 0.0012 0.3383 60 798 IntrlnO58CB6+Sun 07 
2127 12:22:45.4640 0.1260 0.4644 78 876 RND EN «Kate Tro 
2128 12:22:45.4788 0.0148 0.4792 182 1058 Sun 07972C+Intr1n05 
2129 12:22:45.4801 0.0013 0.4805 60 1118 IntrlnO58CB6+Sun 07 
2130 12:22:45.4811 0.0010 0.4815 88 1206 Kate Trous..+RND EN 

2131 12:22:45.4830 0.0018 0.4834 78 1284 RND EN «fate Tro 


Frame 2121 of 26341 
il 2 set Db 6Displygi7 Prev 8 Next 
Help § mark Menus fMoptions™ frame § frame 


Figure 5-10. Display showing several measures of time. 


10 New 
capture 


The Detail View 


Scrolling 


The detail view presents a complete interpretation of a frame, labeling each field 
and decoding the value of the field’s parameters. It also shows certain information 
not contained within the frame, such as the time on the Sniffer analyzer’s clock 
when the frame arrived. 


Figure 5-11 shows the text of a detail display. The detail view frequently requires 
many lines. On screen, you can scroll to the parts not immediately visible. Figure 
5-11 shows the entire detail, as it appears when you print it. The example is a 
TCP/IP frame transmitted over Ethernet, but the general format is similar for any 
network. The left margin of the detail view indicates the protocol governing that 
portion of the interpretation. 


In any panel, when the information takes more space than can fit on screen, you 
can use the cursor keys to scroll hidden text into view. On some models of the 
Sniffer analyzer you can fit more into the existing panels by using a smaller font on 
the external monitor. When SniffMaster transmits the Sniffer screen to a remote 
device, you may be able to configure a larger window, and thus have more of the 
display in view. 
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a aaen- DLC Header ----- 

DLC: Frame 1 arrived at 11:20:37.4621; frame size is 60 (003C hex) bytes. 
DLC: Destination: Station 02608C063841, Host Port 4 
DLC: Source : Station 02608C115176, Remo 26 
He Ethertype = 0800 (IP) 

a ----- TP Header ----- 

IP: Version = 4, header length = 20 bytes 

IP: Type of service = 00 

TP: 000. .... = routine 

TPs ..0.... = normal delay 

TP: ... 0... = normal throughput 

TP: .... .0.. = normal reliability 

IP: Total length = 42 bytes 

IP: Identification = 753 

TP: Flags = OX 

TP: .0.. .... = may fragment 

TP: O, 43.c = last tragment 

IP: Fragment offset = 0 bytes 

TP: Time to live = 255 

TP: Protocol = 6 (TCP) 

TP: Header checksum = 6EDD (correct) 

TP: Source address = [36.53.0.195], Jack's AST 
TP: Destination address = [36.56.0.208], TS Monitor 
ae No options 

TCP: ----- TCP header ----- 

TCP: 


TCP: Source port = 4704 

TCP: Destination port = 23 (Telnet) 
TCP: Sequence number = 378 

TCP: Acknowledgment number = 738299073 
TCP: Data offset = 20 


TCP: = (No urgent pointer) 
TCP: ...4..... = Acknowledgment 

TCP: Wee SOP USH 

TCP: 0.. = (No reset) 

TCP: 0. = (No SYN) 

5 eee 0 = (No FIN) 

TCP: Window = 512 

TCP: Checksum = 8A0D (correct) 


TCP: No TCP options 
TCP: [2 byte(s) of data] 


TCP? 

Telnet: ----- Telnet data ----- 
Telnet: 

Telnet: <0D><0A> 

Telnet: 


Figure 5-11. Detail view of a sample frame. 


When you send the display to a printer, the analyzer prints the entire text of the 
view (or views) you've selected, regardless of the boundaries of the screen. 


(es) 111 


Sniffer Network Analyzer Operations Manual 


Layers 


When a frame contains several levels of protocol, the detail view interprets all the 
levels. The outermost (lowest) level appears first, and so on in order until the 
innermost (highest) level appears last. 


On the analyzer’s screen, the detail interpretation is often larger than the available 
panel. The analyzer shows only part of the display, but you may scroll to bring 
other parts into view 


When you use both summary and detail at the same time, the analyzer shows a 
panel for each. The analyzer automatically scrolls the detail view to match the 
summary view’s highlight. When you use summary with highest level only, the 
analyzer automatically scrolls the detail view so initially it too shows the highest 
level. When you do not restrict the summary view to highest level only, the 
analyzer automatically scrolls the detail view to match the level highlighted in the 
summary. 


Controlling the level initially displayed in the detail view. When you are looking 
at detail without the summary, you can still control the level to which the analyzer 
initially scrolls when you switch to a new frame. Proceed as follows: 


Step 1. Temporarily open the summary view without highest level only. 
Step 2. Inthe summary view, move the highlight to the level you want displayed first. 


Step 3. Close the summary view. 


As you move to a new frame, the analyzer automatically scrolls the detail view to 
show the level that you last highlighted in the summary view. (When it comes to a 
frame that doesn’t include the level you selected, it shows the next lower level 
that’s actually present.) 


Formats for Higher-Level Numeric Addresses 


In the detail view, the Sniffer analyzer shows the numeric form of each source or 
destination addresses, and also the symbolic equivalent, when it’s available in the 
name table. 


When the name table gives no symbolic equivalent, the analyzer shows the 
numeric address. The format for numeric display of higher-level addresses is 
hexadecimal, except where there is an established convention for a different form. 
For example, a 4-byte IP address is shown as a succession of four decimal numbers 
separated by dots, with the entire number enclosed in square brackets. 


When the Sniffer analyzer displays an address, the formatting is done by the 
protocol interpreter for the protocol in which the address occurs. Formats vary; in 
general, the analyzer follows the conventions of each protocol. Some common 
examples are shown in Figure 5-12. 
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[ 
Token ring, Ethernet, StarLAN, ARCNET, WAN/ 
PC Network LocalTalk Synchronous 

DLC Present in all frames and shown | Present in all Every frame 

as twelve hexadecimal digits, frames and is either 

corresponding to the 6-byte shown as two from DTE or 

address. hexadecimal from DCE. 

Example: 020701031EF7 stipe 

oe corresponding 

Where the analyzer recognizes se oe 

the first three bytes as a ; 

manufacturer code, it replaces Example: 3C 

them by a 6-character 

abbreviation: 

Example: Intr1n031EF7 
XNS Shown in the same format as 6-byte DLC addresses. (Although XNS 

addresses may duplicate DLC address, the analyzer does not 

attempt to interpret the manufacturer as it does for DLC addresses.) 
IP | Represented byte by byte, but each byte is represented by its 


decimal value, a number between 0 and 255. Successive bytes are 
separated by a dot, and the whole sequence is enclosed in brackets. 


Example: [84.12.139.144] 


I 


DRP Address represented by two decimal numbers, the area and the node 
(DECnet) number, separated by a dot. Each number is computed as the binary 
value after masking certain bits in the address. 
| Example: 184.27 
DDP Address represented by two decimal numbers, the network number 
(AppleTalk) | (representing a 16-bit network address) and the node ID 


(representing an 8-bit node number), separated by a dot. 
Example: 1080.208 


Figure 5-12. Format of address, on selected networks and protocols. 


Other address levels and formats may be present, depending upon the optional 
protocol suites installed in your Sniffer analyzer. 


Transmission of 6-Byte DLC Addresses 


At the DLC level, every station on earth has a unique 6-byte address. To be more 
precise, a DLC address uniquely identifies a station’s network interface card. The 
first three bytes of a DLC address identify the interface card’s manufacturer. The 
IEEE has assigned codes to the various manufacturers. Each manufacturer uses the 
other three bytes to assign a unique identifier to each of its cards. 


Bits on the Wire vs. Bits in Memory. Historically, the various network 
technologies have had different rules for converting bits “on the wire” to bits in 


I 
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computer memory. Some systems transmit each byte high-order-bit first and some 
transmit low-order-bit first. Suppose a byte of computer memory contains the 
value that in hexadecimal is written 87. In memory, that consists of the following 
bits: 


If you could see the sequence of bits transmitted along a token ring cable, you’d 
see that each byte is transmitted with the high-order bits first, 1000 0111. 
However, if you could make the same observation on Ethernet, you'd see that each 
byte is transmitted with the low-order bit first. You’d see hex 87 go by as 1110 
0001. 


Ordinarily, these different ways of transmitting are completely invisible to any 
user or program. The interface card translates between bits on the wire and bits in 
computer memory. You only see bytes in memory, before they've been sent or after 
they've been received, but never while they’re in transit. When an Ethernet card 
receives the sequence 1110 0001, it turns that into hex 87, and the receiving 
station has the same value as the sender. Since (at the DLC level) sender and 
receiver must be on the same network and must use compatible equipment, a byte 
in the sender’s memory results in the same byte in the receiver's memory. No one 
at either end need ever know in what sequence the bits within a byte were sent. 


The IEEE standard implies that the same pattern on the wire produces two 
different bytes in memory. When the IEEE assigned codes to the various 
manufacturers, it specified the sequence in which bits are transmitted on the wire. 
It did not specify what the sender or receiver would see in memory. For example, 
Network General Corporation was assigned a particular sequence of bits. To 
transmit that sequence on token ring, a Sniffer analyzer has in its memory the bytes 
00 00 A6. But to transmit that same sequence on Ethernet, the analyzer’s memory 
must contain the bytes 00 00 65. That’s because A6 with its bits of each byte 
reversed is 65. 


Thus, to comply with the IEEE standard, a given manufacturer ID should translate 
to one number for Ethernet (or any other network using low-order-bit-first), and to 
a different number for token ring. (At present token ring is the only network using 
high-order-bit-first.) The tables that the Sniffer analyzer uses to interpret 
manufacturers’ codes make allowance for this. There’s one table for token ring and 
a different table for other networks. Beware, however, that some manufacturers do 
not follow the letter of IEEE law and use the same value in memory for both 
network types. 


Compensation for Bit-Reversal in PC Network DLC Addresses 


This section applies only to the Sniffer analyzer for PC Network. During capture, 
the PC Network analyzer gives you an option called flip DLC address. This option 
alters the way in which the bits within each byte of a DLC address are interpreted 
as characters, and hence the address that is visible during display. The following 
paragraphs explain the purpose of this feature and its effect on display. 
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During transmission, PC Network follows the low-order-bit-first convention (like 
Ethernet). However, PC Network often runs software developed for the token ring. 
In the computer, IBM software keeps a single representation of station addresses 
and uses it for both token ring and PC Network operations. That permits the 
software to keep just one table of DLC addresses, rather than one version for token 
ring and a separate version for PC Network. To permit a single address table to 
work despite different conventions for transmission, IBM software for PC Network 
reverses the bits within each of the twelve bytes that contain the DLC source and 
destination. By this means, (a) the transmission on the PC Network wire continues 
to match what the IEEE assigned, and (b) computers linked by PC Network can 
use the same address tables as those linked by token ring. 


SUMMARY—Delta I—DST SRC 
6 0.1501 NETBIOS «IBN = 30D834 DSAP=F0, UI frame 
7 0.0039 NETBIOS «IBM 30D834 DsaP=F0, UL frame 
8 0.0030 NETBIOS «IBM  30D834 DSAP=FO, UI frame 
9 0.0030 IBM 30D834+IBM 30D834 DSAP=FO, UI frame 


0 0.0180 IBM i068DE<IBN 30/898 DSAP=FO, I frame 
DETAIL 
LC 


E 

0000 UNUM MOMEMS 08 00 5A 30 7B 9800 00 FOFO ..2h...20...... | 
0010 A6 54 Of OO FF EF 1601 00000000 CC OF 0219 .T.............. | 
0020 07 00 5A 5A 00 00 08 04 40 F4 C2 gy Clee ard os | 


Frame 10 of 70 | 
Use TAB to select windows 

igh ine 6Disply—/ Prey §8 Next 0 New 

Help §@ mark in Menus fMoptions§ frame § frame capture 


Figure 5-13. PC Network frame captured without the “flip DLC” option (compare with 
Figure 5-14). 


The reversal of bits. In order to allow PC Network DLC addresses to match those 
of token ring, the Sniffer analyzer has a special flip DLC address option. When 
you elect this option, the Sniffer analyzer reverses the bit order of bytes in the DLC 
source and destination address of each frame. It does this during capture. By the 
time a frame reaches the capture buffer, the address bits have been flipped. Thus, 
the value displayed depends on the setting of flip DLC address during capture. 
Figures 5-13 and 5-14 (page 116) illustrate this for two captures of the same frame 
(recorded during a playback). While otherwise identical, the DLC addresses 
appear different. This affects not only the summary and detail views, but also the 
hex display. 
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SUMMARY—Delta T—DST. SRC 
6 0.1501 CO0000000080<IBM  0C1B2C DSAP=F0, UI frame 
7 0.0039 COQ000000080+IBM  0C1B2C DSAP=FO, UI frame 
8 0.0030 COQ000000080+IBM  0C1B2C DSAP=FO, UI frame 
9 0.0030 IBM  OC1B2C+IBM 0C1B2C DSAP=F0, UI frame 
10 0.0180 IBM O8167B-IBM  OCDE19 DSAP=F0, I frame 


: Station [BM OCDE19 


LC: 802.2 LLC length = 0 

; Frame 10 of 7 
QO00 UOMO 10 00 5A OC DE19 00 00 FOFO ..Z....2Z........ 
0 

0 


010 AG 54 Ok 00 FF EF 16 01 00 00 00 00 CC OF 0249 .T............, 
020 07 00 5A 5A 00 00 08 04 40 F4 C2 og Ble ssiee 


Frame 10 of 70 


Use TAB to select windows 
il 2 Set 4 Zoom 6Disply§/ Prev §8 Next 10 New 
Help § mark in options™ frame § frame capture 


Figure 5-14. Same PC Network frame captured with “flip DLC” option (compare with 
Figure 5-13). 


Once the Sniffer analyzer has been set to match the conventions on a particular 
network, it should use that setting for all captures; there’s no need to change it 
further. 


Protocol Interpretation 


An analyzer’s ability to interpret protocols is built from several sources and linked 
into the executable file when the Sniffer’s executable file is built. Protocols at the 
lowest levels are provided to match the network. Interpreters for higher-level 
protocols are available in suites. Each suite contains a number of protocols that are 
related or are likely to occur together. (See the list of protocol interpreter suites in 
Figure 1-10, page 21.) 


Customers may create their own protocol interpreter suites. You may want to 
consider that if you need to interpret a protocol not covered by the available 
interpreter suites. General directions for doing so are provided in the Sniffer 
Network and Protocol Reference. 


Every protocol interpreter, from whatever source, registers its presence and 
facilities with the Sniffer analyzer. In this fashion all are represented in the 
appropriate menus and displays. In the detail view, at the left edge of every line 
each interpreter shows an abbreviation indicating the protocol it is decoding. 
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When you have both detail and hex views open, for each line of the detail 
interpretation, the corresponding bytes in the hex display are highlighted. In this 
way you can see together the actual bytes and their interpretation. 


While a common registration and display procedure applies to all the interpreters, 
the various interpreters are nevertheless essentially independent, just as the 
protocols themselves are essentially independent. Within each protocol, the fields 
displayed are those that make sense within the context of the protocol. 


Bit-Level Interpretation 


A protocol may record binary attributes as individual bits packed within a single 
byte. Where that is done, the interpreters often explode each byte to show its eight 
bits separately. To illustrate, Figure 5-15 shows the interpretation of hex 1F at a 
particular position in the Banyan VINES protocol called VIP. Figure 5-16 shows an 
interpretation of the sequence 6B 80 00 from an IBM SNA header. This sort of 
decoding interprets not only the meaning of each bit set at a certain position, but 
also the meaning of each bit not set (that is, each 0). Bit-level interpretation is 
included in almost all protocols; however, in X Windows it is not universally 
shown, because the number of possible bit-encodings is extremely large. 


VIP: Transport control = iF 
: 0 


Lo, een = Unused 
VIP: _.0. .... = Do not return metric notification packet 
VIP: _..4.... = Return exception notification packet 
VIP: .... 1111 = Hop count remaining (15) 


Figure 5-15. Bit-by-bit interpretation of a byte of VINES internet protocol. 


----- SNA Request Header (RH) ----- 


RH byte 0 = 6B 
Bahk = Command 

= RU category is ‘session control’ 
.... 1... = Format indicator 
serine. 0.. = Sense data are not included 
..11 = Only RU in chain 
80 
Definite response requested 
Response bypasses TC queues 
Pacing indicator 
00 
Begin bracket indicator 
End bracket indicator 
Conditional end bracket indicator 
Change direction indicator 
Character code selection indicator 
Enciphered data indicator 
Padded data indicator 


BS fe fe fe fe b= a 


I 
n> A= 


RH byte1 
1.00 .. 


RH byte 2 
Oe os eyes 


= 


So fe SS BS Ge oe oe fe BS 


+7 


Toth EE oth oa a hi A a 


\ ( 
Nie Siete es 


Latin tells 
Figure 5-16. Bit-by-bit interpretation of three SNA bytes on token ring. 
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ISO— Alternate Displays for ASN.1-Encoded Protocols 


ISO protocols at the presentation and application levels can be interpreted in two 
modes. Each is written so that it conforms to a general syntax specified in ASN.1 
(Abstract Syntax Notation 1, ISO 8825). The individual protocols then assign 
meanings to the components identified by the ASN.1 syntax. To accommodate this 
dual level of interpretation, suite PA-1306 (ISO) gives you the option to interpret 
frames in these layers in either of two ways: 


* Syntactic. The Sniffer analyzer labels the ASN.1 components within each 
frame, or 


* Semantic. The Sniffer analyzer interprets what the various ASN.1 statements 
mean, according to the rules of the particular protocol in which the ASN.1 
statements occur. 


When you select interpretation at the X.400 level, you get the semantic 
interpretation. To see ASN.1 interpretation, turn off X.400 in the protocol display 
filter. 


Figure 5-17 shows the same fragment of an X.400 frame interpreted first for ASN.1 
syntax and then for its content as part of a P1 message envelope. 
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4 bio ----- 1.400 Message Transfer Protocol (?1) —---- X. 400: ——-- X.400 Message Transfer Protocol (P1) ----- 
PRS ies X. 400: 
X.400: 1.4 Context-Specific Constructed [0], Length=Indefinite “400° i fat 
abe: 24 “SET Toth Lengthciniefinite Oo i ee 
X.400: 3.1 Application Constructed [4], Length=Indefinite spe ee 
Y400: 4. Sent fostion a. TLength=tndefinite X.400: MPDU identifier: /C=US/ADMD=ATTHAIL/PRMD=KANJI/, VAX 
¥.400: 5.4 peptone Constructed [i], Length=Indefinite 880726 14:53:53 
X.400: 6.1 rintableString, Length=2, Value = “US” X.400: Originator: 
X.400: 5.2 Aplacatien Constructed [2], Length=Indefinite /C=US/ADMD=ATTMATL/PRUD=KANJI/O=VAX/PN=FRASIER. ALLEN. D/ 
X. 400: 6. rintableString, Length=7, Value = “ATTHAIL" ¥.400: Original encoded information types: 
YX. 400: 5.3 PrintableString, Length=5, Value = “KANJI” X.400: Basic information type = A000 
X.400: 4.2 TAdString, Length=19, Value = “VAX 880726 14:53:53” X. 400: = Tndefined 
X.400: 3.2 Application Constructed [0], Length=Indefinite a ines Cth ee i No tLX 
X.400: 4. SEQUENCE [of], Length=Indefinite Pais | lhe ne = Not 
X.400: 5.1 Application’ Constructed [1], Length=Indefinite panes. Ser mesiateis Geass 8 = LisText 
X.400: 6. PrintableString, Length=2, Value = "US" H4002 0 0. eee eee = No g3Fax 
X. 400: 5.2 la Constructed [2], Length=Indefinite 1400; .... QL eee eee = No tIFO 
X. 400: 6. rintableString, Length=7, Value = "ATTMAIL” RODE ysis Ose? “aatee. wanes = No tTX 
X.400: 5.3 Context-Specific Constructed [2], Length=Indefinite CMOOe cuties’ aetna = No videotex 
YX. 400: 6. PrintableString, Length=5, Value = "KANJI" CO ae Sal eishaene = No voice 
X.400: 5.4 Context-Specific Primitive B , Length=3, Data = "VAX" Y00F hes, hae Oh Ane = No sFD 
X,400: 5.5 Context-Specific Constructed [5], Length=Indefinite X. 400: 0 = No tIFt 
X.400: 6. Context-Specific Primitive [0], Length=7, Data = “FRASIER” ¥. 400: Content ine (P2) 
X.400: 6.2 Context-Specific Primitive [1], Length=5, Data = “ALLEN” 1400: TA cont ote 880706 14:53:53 
X. 400: 6.3 Context-Specific Primitive be Length=1, Data = "D" genie sSontet baie even 
X.400: 3.3 Application Constructed [5], Length=Indefinite 1.400: Priority = 2 (Urgent) 
X.400: 4. Context-Specific Primitive [0], Length=3, Data = "<04A000>" 1.400: Per message flag = CO 
¥.400: 3.4 Application Primitive [6], Length=1, Data = “<02>" Xt. 400: see = Disclose recipients 
¥.400: 3.5 Application Primitive [10], Length=15, Data = "880726 14:53:53" X. 400: i... .... = Conversion prohibited 
X.400: 3.6 Application Primitive [7], Length=1, Data = "<02>" YX. 400: ..0. .... = No alternate recipient allowed 
X.400: 3.7 Application Primitive [8], Length=2, Data = "<03C0>" X. 400: ...0.... = No content return request 
X.400: 3.8  Context-Specific Constructed [2], Length=Indefinite ¥.400: Recipient info: 
. ee ee fof). eat ttl P 1.400: Recipient: 
{. 400: 5. pplication Constructe , Length=Indefinite ee ene zanyneat ps cantigit4 ats 
1400: 6.4 SEQUENCE [of], Length=Indefinite ean cg a cen aaa irra 
Y.400: 7.4 Application Constructed [1], Length=I - 400: Extension identifier = 1 
X.400: 8.1 PrintableString, Length=2, Yalu 1.400: Per recipient flag= AB 
X.400: 7.2 Application Constructed [2], Len X. 400: dies 23% = responsibility flag on 
X.400: 8.1 PrintableString, Length=7, Yalue = ” X. 400: .01. .... = basic report request 
X.400: 7.3 Context-Specific Constructed [2], Length-Indefinite X. 400: ...0 1... = basic user report request 
X.400: 8.4 PrintableString, Length=5, Yalue = “kanji” X.400: Recipient info: 
X.400: 7.4 Context-Specific Primitive LA ea pa Data = "sun" 1.400: Recipient: 
1.400: 7.5 Context-Specific Constructed [5], Length<Indefinite /C=US/ADMD=ATTHATL/PRHD=kanji/O=sun/Pl=frasier. al len/ 
X.400: 8.4 Context-Specific Primitive [0], Length=8, Data = “danville 1.400: Extension identifier = 2 
X.400: 8.2 Context-Specific Primitive [1], Length=7, Data = “roberta” L 400: P iaient flag = D0 
X.400: 5.2 Context-Specific Primitive (0], Length=i, Data = “<0b" Be GUGS BBP WEELDL eM ect 29 = mice 
X. 400: 5.3 Context-Specific Primitive [1], Length=2, Data = "<O0A8>" i400: Le. oe. = responsibility flag on 
X.400: 4.2 SET [of], Length=Indefinite X. 400: SOS serng = confirmed report request 
X.400: 5.1 Application Constructed [0], Length=Indefinite X. 400: ...1 0... = confirmed user report request 
X.400: 6.4 SEQUENCE [of], Length=Indefinite X.400: Trace information: 
X. 400: 7.4 seen Constructed [1], Length=Indefinite X.400: Global domain identifier: /C=US/ADMD=ATTMAIL/PRMD=KANJL 
X.400: 8.4 rintableString, Length=2, Yalue = "US" X.400: Arrival = 26 Jul 1988 14:53:58-0700 
X.400: 7.2 Application Constructed [2], Length-Indefinite 1.400: Action = 0 (Relayed) 
X.400: 8.1 printableString, Length=7, Yalue = “ATTMATL" L 400: Tien trace info: 
X.400: 7.3 Context-Specific Constructed [2], Length=-Indefinite are ° ee aaa 
1.400: 8.4 PrintableString, Length=5, Yalue = "kanji" X40: ATH came = YAR vas 
X.400: 7.4 Context-Specific Primitive [3], Length=3, Data = “sun” X.400: Arrival = 26 Jul 1988 14:53:58-0700 
X. 400: 7.5 Context-Specific Constructed [5], Length=Indefinite 1.400: Action = 0 (Relayed) 
X.400: 8.4 Context-Specific Primitive [0], Length-7, Data = “frasier" X. 400: 
X.400: 8.2 Context-Specific Primitive [1], Length=5, Data = “allen” 
X.400: 5.2 Context-Specific Primitive [0], Length=1, Data = "<02>" 
X.400: 5.3 Context-Specific Primitive [1], Length=2, Data = "<00D0>” 
X.400: 3.9 Application Constructed (9], Length=Indefinite 
X.400: 4.1 SEQUENCE [of], Length=Indefinite 
X.400: 5.1 Application Constructed [3], Length=Indefinite 
X.400: 6.1 Application Constructed [1], Length=Indefinite 
X.400: 7.1 PrintableString, Length=2, Value = "US" 
¥.400: 6.2 Application Constructed [2], Length=-Indefinite 
X.400: 7.1 PrintableString, Length=7, Value = “ATTMATL” 
X. 400: 6.3 PrintableString, Length=5, Value = "KANJI" 
X.400: 5.2 SET [of], Length=Indefinite 
¥.400: 6.1 Context-Specific Primitive [0], Length=17, Data = "880726145358- 
0700" 
X.400: 6.2 Context-Spesific Primitive [2], Length=1, Data = "<00>” 
X. 400: 3.10 eet Constructed [30], Length=Indefinite 
X.400: 4.1 SEQUENCE [of], Length=Indefinite 
X.400: 5.1 PrintableString, Length=3, Value = “VAX” 
X. 400: 5.2 SET [of], Length=Indefinite 
X. 400: 6.1 00 Context-Specific Primitive [0], Length=17, Data = "880726145358- 
700" 
X.400: 6.2 Context-Specific Primitive [2], Length=1, Data = "<00>" 
X.400: 2.2 Constructed OCTET STRING, Length-indefinite 
¥.400: 3.1 OCTET STRING, Length=2048, Value = 
"<A080>1<80>k<80>* <80>0<80>a<801302>S<0000>..." 
X.400: 3.2 OCTET STRING, Length=85, Value = 
"<ooooo0000000ccc00N0eCRNNNNCCECoCs2OORB00000000>" 
X. 400: 


Figure 5-17. ASN.1 syntactic and semantic interpretations of the same X.400 layer of an 


ISO frame. 
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Token Ring Address Recognized and Frame Copied Bits 


As each frame circulates on the token ring, it has two extra “trailer” bytes at the 
end. The trailer is used to check the frame’s validity. It isn’t usually considered 
part of the frame, and doesn’t appear in the hex view. However, the detail view 
reports the status of two indicators in the trailer: the address recognized bit and 
the frame copied bit. They’re visible in Figure 5-18 as part of the detail view’s 
DLC report. 


DETAIL 
DLC: ----- DLC Header ----- 
DLC: 
DLC: Frame 35 arrived at 17:18:27.576; frame size is OO6F (111 decimal) byt 
DLC: AC: Frame priority 0, Reservation priority 0, Monitor count 0 
DLC: FC: LLC frame, PCF attention code: None 
DLC: FS: Addr recognized indicators: 00, Frame copied indicators: 00 
DLC: vestination: Station 400000000002, Harrys PC 
DLC: Source : Station 400000000001, Newman 
DLC: 
; LLC: ----- LLC Header ----- 
LLG: 
LLC: DSAP = 04, SSAP = 04, Command, I-frame, N(R) = 0, N(S) = 0 
LLC: 
SNA: ----- SNA Transmission Header ----- 
SNA: 
SNA: Format identification (FID) = 2 
SNA: 
SNA: Transmission header flags = 2D 
SNA: 010 .... = Format identification is type 2 
SNA: .... 11.. = Only segment 
Frame 35 of 225 
il 2 Set b ODisply—’ Preva™s Next 10 New 
Help § mark Menusfimmoptions™ framefm frame’ capture 
2 


Figure 5-18. Detail view showing token ring address recognized and frame copied bits. 


When a station recognizes itself in the frame’s destination, it sets the address- 
recognized bit. If that bit is on when the frame reaches you, at least one station 
upstream from you has recognized itself as a recipient. (A frame sent to a functional 
address may have any number of recipients.) 


When a station retains a copy of the frame, it sets the frame-copied bit. N ormally, a 
recipient both recognizes and records the frame, and sets both bits. 


The values you see for addressed recognized and frame copied depend on where 
you are located. If a frame reaches you with address recognized already set, the 
frame must have reached the recipient before it reached you. When you're looking 
for problems at a particular portion of the ring, you may wish to capture from 
different positions. The address recognized bit provides evidence of your position 
in the ring sequence. To verify that a station has accepted frames addressed to it, 
you have to be upstream from the sender and downstream from the recipient. 
(That is , you must not be between the sender and recipient in ring order.) 
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External Displays and Use of Color 


Each Sniffer analyzer has a port that can be connected to an external display. This 
permits you to connect a color display or (with the appropriate adapter) one with 
additional rows and columns. The port also serves to connect an LCD display such 


as the Kodak DataShow, teamed with an overhead projector. 


When the analyzer displays in color, each layer of protocol has its own 
characteristic shade. Where possible, each layer is identified with one of the seven 
layers of the OSI model. (However, many protocols predate the OSI model, and 
don’t fit into it very clearly.) The Sniffer analyzer assigns colors to the layers as 


shown in Figure 5-19. 

| Protocol | Layer Color 

| Physical level protocols 1 Magenta 
Fragmentation protocols Lz Red 
Link level protocols 2 Brown 
Network level protocols 3 [ener 
Transport level protocols | 4 | Yellow 

Sexson level protocols 5 Light green | 

 yeceniation level protocols 6 Light cyan 
Application level protocols I /- Light red 

| Aaclnoatien level protocols II ‘ | Light magenta 

lene protocols and network Cyan (blue-green) 
management layers | 
Various protocol glue layers Black 
Other Light blue 
Uninterpreted data Gray 


Figure 5-19. Assignment of foreground colors to layers of the OSI model,. 


Normal color displays use a blue background. Highlighted areas have a light-blue 
background. However, highlighted portions of a hexadecimal display have white 
backgrounds. 
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On some models of the Sniffer analyzer, enabling an external color monitor 
disables the built-in monochrome display. You can’t use both at once. In some 
models, you must also choose the appropriate color mode in the selection menu 
(see the Sniffer Network Analyzer Installation Guide for the model your are using). 
EGA or VGA displays have distinctly better resolution than CGA. 


The Hexadecimal View 


The hex view displays each byte as two hex characters, 00 to FF, witha blank 
between successive bytes. The bytes are arranged 16 to a row in a full-width table 
(8 to a row in the half-width table for two viewports). At the left, the offset from 
the beginning of the frame is displayed in hexadecimal (Figure 5-20). 
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0110 69 6C 08 53 74 61 GE 
0120 CO 23 00 OD 00 01 00 
0130 54 53 08 44 45 43 2p 


0100 23 00 OF 00 01 00 00 A 


03 01 13 1B 02 60 8C 06 38 41 08 00 45 00 ....... Watewde 


6C 44 24 35 00 OA 80 20 
93 E4 00 A6 84 80 00 01 tse tenedwiev en’ 


uO 00 FF 00 01 04 73 6 . edu 
6F 72 64 03 65 64 75 00 il.stanford. edu. 
00 OF 08 44°45 43 2D 31 keane DEC-1 
53 CO 23 00 0B 00 01 00 O80. WAITS. #..... 
OB 06 01 44 45 40 04 00 ............ DEC. . 
00 OB 00 01 00 00 AB CO ....... Hee awe 
40 00 00 04 CO 23 00 OB ........ Cary ae 
424: 00.62) 10601 44.45. sen $$....DE 
01 CO 23 00 OB 00 01 00 @........ ee 
C2 11 01 40 00 00 04 C0 ..... Sie © eee 
CO 00 04 24 24 00 C2 CO #.......... $$... 
CO 00 04 OA 00 00 OB CO # 

CO G0ri5:00 OA 04 53°61 #eeces eas ces Sa 
6F 72 64 03 45 44 55 00 il. Stanford. EDU. 
AB GO! OO OF 05-5741 ag oe oes I 
30 38 30 AF 
Frame 35 of 97 


il 2 Set 
Helpim mark 


Dd ODisply—i/’ Prevage Next 10 New 
Menusfmoptionsl’ framefm™ frame capture 


Figure 5-20. Hexadecimal view of a TCP/IP frame on Ethernet 


Text Transliteration 


To the right of the hexadecimal codes, the hex view shows the corresponding 


ASCII or EBCDIC characters. A standard character is shown by its text equivalent; 
anything else is represented by a dot. 


The transliteration of characters follows either ASCII or EBCDIC conventions. For 
Ethernet, StarLAN, PC Network, or LocalTalk the hex menu includes a radio- 
control with two choices, thus: 
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» ASCII characters 
| EBCDIC characters 


The default is ASCII. The choice applies to all levels of all frames. 


Automatic choice of transliteration. On token ring or WAN/synchronous link, the 
menu includes a third choice: automatic. It’s the default. 


Automatic 
ASCII characters 


EBCDIC characters 


WAN/Synchronous. When you select automatic, the transliteration depends on the 
packet type set in the options menu. When packet type is SDLC/SNA, 
transliteration is EBCDIC. Otherwise, it’s ASCII. 


To force ASCII or EBCDIC transliteration for all frames, move the highlight to 
ASCII or EBCDIC and press Spacebar. That moves the |? to the highlighted line. 


Token ring, When you select automatic, the Sniffer analyzer decides separately for 
each frame whether the frame should be transliterated as ASCII or EBCDIC. It 
gives you EBCDIC display of all MAC frames, and of any LLC frame whose SAP 
indicates that it contains SNA. It gives ASCII display of all other frames. 


To force ASCII or EBCDIC transliteration for all levels of all frames, move the 
highlight to ASCII or EBCDIC and press Spacebar. That moves the |> to the 
highlighted line. 


Length Encoding of ARCNET Frames 


The first two bytes of an ARCNET frame contain the source and destination. The 
Sniffer analyzer shows the next two bytes as an integer representing the frame’s 
total length. 


That isa simplification of what is actually transmitted on the network. ARCNET 
uses two different formats, one for short frames and another for long frames. A 
short frame has a 1-byte length field. A particular value in the first byte means that 
a second byte is present. (As a side-effect of the way this scheme is implemented, 
certain frame lengths are illegal.) The Sniffer analyzer evaluates the length 
according to the ARCNET convention. However, it records all frames in the same 
format, using a 2-byte length field. 


The analyzer replaces the one or two bytes that were actually transmitted with a 
standard 2-byte representation. In this respect, what the analyzer records is not an 
exact replica of the transmission. However, it greatly simplifies the task of pattern 
matching, since the data field starts at the same offset in all recorded ARCNET 
frames. 
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Windows, Views, and Scrolling 


When you display two or three views at once, panels in the active viewport scroll 
together. For example, when you're displaying both summary and detail, you 
might scroll the summary view so that it shows the next frame. That causes the 
detail view to show the next frame also. The views remain in step. 


Similarly, when you shift the highlight in the summary view to mark a different 
frame, the viewport’s detail view and its hex view both scroll automatically, so 
that they show the frame highlighted in the summary view. 


When you're showing multiple levels within the summary view, the report on a 
single frame may occupy several lines (one for each level). You can move the 
highlight from one level to the next, yet remain within the same frame. For 
example, you might move the highlight from the DLC level to the level above. 
When you do that, the detail view also scrolls. The level at the top of the detail 
view matches the level you've highlighted in the summary view. 


Highlighting Detail in the Hex View 


When you display both detail and hex views, as you move the highlight in the 
detail view, the Sniffer analyzer highlights the corresponding bytes in the hex 
view (Figure 5-21). That makes it easy to match bytes with their interpretation. 


(DETAIL 
le ----- SNA SC-RU (Session Control Response Unit) ----- 

SNA: 
SNA? Formatytype tlags = 00 
SNA: FM profile flags = 413 

| SNA: TS profile flags = 07 
SNA: Primary LU protocol flags = BO 
SNA: AE eed = Multiple RU chains allowed from primary LU 
SNA: .0.. .... = Immediate request mode 

—- Frame 35 of 225 

rHEX EBCDIC 

{| 0000 10 40 40 00 00 000002 400000000001 0404 . ............ 
0010 00 CO 2D 00 01 01 00 OC 6B 80 00 BM 0013 07 BO ........,.. q.... 
0020 BO DO B1 02 00 85 85 80 02 06 02 00 0000 00 00 .}...6¢......... 
0030 00 00 00 20 00 00 08 F2 (5 D5 C4D3 F440 4025 ....... SENDLU 
0040 00 09 02 Dd D6 D9 D4 C1 D3 40 40 09 03 00 00 00 ... NORMAL ..... 
0050 00 0D 00 00 00 OF 04D5 CS E3 F6 D6 DOD2 4B FO ....... NETWORK. S 
0060 C5 D5 C4 D3 E4 00 08 DO C3 F5 D3 £4 40 40 40 ENDLU. . RCVLU 

Frame 35 of 225 
Use TAB to select windows 

6Disply§7 Previi—s Next 10 New 

Helpi™ mark in options™ frame™™ frame capture 


Figure 5-21. Synchronized highlighting in the detail and hex views 
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The hex view shows the offset to the start of each line. You can readily calculate 
each field’s address. The hexadecimal offset is required when you describe a 
pattern to be matched. However, you can use the Cursor Up key to “cut and paste” 
from a displayed frame, without having to type the hex offset yourself. 


Detail and Hex Display of Spanned Frames 


In some protocols, a message at one of the higher levels may span several DLC 
frames. (See Figure 2-22, page 63) During display, the Sniffer analyzers detail 
view reassembles the entire high-level message as if the whole message were in the 
first frame. You can read the message continuously without having to jump 
among the separate frames that contain its parts. When you highlight a part of the 
detail display, the hex view continues to highlight the corresponding hex 
characters. 


Figure 5-22 illustrates the treatment of a spanned high-level message. Here are 
some points to observe: 


* Inthe summary view, the frame in which the high-level message starts has a 
note telling you how many frames the message spans. In Figure 5-22, the note 
says ISO_TP Data EOT (5 frames). In this example, the ISO TP data was split 
among frames 15, 16, 17, 18, 19 and 20. There’s no presumption that spanned 
frames are consecutive; unrelated frames might have been interspersed. 


* Inthe detail view, the entire high-level message is displayed as though all of it 
were in the frame in which it starts. When you print the display, the entire 
high-level message appears without a break, taking as many lines as necessary. 
On screen, you can see the rest of the message by scrolling within the detail 
view. 


* Scrolling within the detail view (as usual) causes the hex view to scroll 
automatically. The field you highlight has a corresponding highlight in the hex 
view. 


* The frame number in the hex view doesn’t necessarily match the frame number 
in the detail view. In Figure 5-22, the interpretation of ISO Session Layer is part 
of the detail view of frame 15, because that’s where the ISO TP data starts. 
However, the corresponding hex view shows frame 17. That’s because 
(although the message started in frame 15) its ISO Session Layer is in frame 17, 
starting at offset 36. 


* When the field highlighted in the detail view extends over additional frames, 
the hex window scrolls to the start of the field, but adds a + sign to show that 
there’s more present in a different frame. A plus is visible in the last row of the 
hex view in Figure 5-22. 


(Reework 125 


Sniffer Network Analyzer Operations Manual 


SUMMARY—DST—SRC 
15 StaC «Sta B DLC Ethertype=0800, size=60 bytes 

TP D=[192. 9.200.193] S=[192.9.200.170] LEN=26 1D=5003 
TCP D=102 S=1082 ACK=38911 SEQ=1065820 LEN=6 WIN=4 
TSO_TP Data EOT (5 frames) 

SESS Give Tokens, Data Transfer 

Frame 15 of 203 


: SPDU type = 1 (Give Tokens) 

: SPDU type = 1 (Data Transfer) 

: Length of SPDU parameter field = 3 
Frame 15 of 20 


HEY. ASCII 

0000 08 00 20 01 DA 5308 00 14 51 87 36 08 00 45 00 .. ..S...0.6..E. 

0010 00 2A 13 8D 00 00 3C 06 59C2C0 09 C8 AA CO 09 .*....<.¥....... 

0020 C8 Ci 04 3A 00 66 0010 43 6300 00 O97 FF 5018 ...:.£..Cc....P. 

0030 10 00 AD 38 00 00 QiMM 00 iF 02 FO Buk Oeee ounce 
Frame 17 of 203 


Use TAB to select windows 
1 2 Set 4 Zoom 6Disply—/ Prev 8 Next 10 New 
Help § mark in loptions™ frame § frame capture 


Figure 5-22. Detail and hex display of a spanned ISO frame. 


Function Keys Available During Display 


F1 


F2 


F3 


F4 


F5 


During display, the following function keys are active: 
Help. Provides assistance in using the Sniffer analyzer. 


Set mark. Marks the reference frame with an M. The values reported by relative 
time and cumulative bytes count from the marked frame (see page 107). 


Display. When display has been interrupted (for example, by pressing F6 to 
change the display options), F3 is enabled. Pressing it resumes display. 


Zoom in/out. Temporarily expands the active panel to fill the entire window. 
Especially when several panels are open at once, the space for an individual panel 
may be too small to show much. Pressing F4 zooms so that the active panel has the 
entire window. The other panels are concealed. Pressing F4 a second time restores 
the tiled arrangement of the open panels. 


Zooming enlarges all the panels, but places them one above another so you only 
see one at a time. You can still use the Tab key to move to the next open panel, 
which then gets the whole window. 


Menus. Returns you to the main menu. 
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F6 


F7 


F8 


Display options. Provides you with the basic set of display options found in the 
Sniffer analyzer’s main menu. It also offers several auxiliary options, permitting 
you to: 


Go directly to a specific frame number. 

Search for a text string. 

Search for a pattern in a frame. 

Jump directly to the marked frame. 

Jump directly to the trigger frame. 

See the following section, Searching and Jumping, for further information on 


these choices. 


Previous frame. Takes you to the previous frame. Only frames that pass the current 
display filter are shown, so pressing this key takes you to the adjacent visible frame, 
perhaps skipping over one or more that the filter rejects. 


In a summary view that shows several frames at once, F7 (or the Cursor Up) 
moves to the preceding line (either the preceding frame or the preceding level of 
the current frame). It does so by moving the zone that is highlighted and scrolling 
if the highlight is already at the edge of the panel. 


In the detail window and the hex view, F7 replaces the current display with the 
display for the preceding frame. 


If you have multiple views within a viewport —that is, summary, detail and 
hexadecimal— when scrolling takes you to another frame, your hexadecimal or 
detail views (if open) move to that frame, too. 


Next Frame. Pressing F8 (or the Cursor Down key) takes you to the next line or 
the next frame in the same way that F7 takes you to the preceding line or frame. 


F10 New Capture. Starts the capture process again. 

Cursor t Scrolls to the preceding line of the display. 

ie aera 1 Scrolls to the following line of the display 
eys 


¢ Scrolls the display so 8 columns to the left are 
brought into view. 


» Scrolls the display so 8 columns to the right are 
brought into view. 


PgUp Scrolls to the preceding page of the display. 
PgDown Scrolls to the following page of the display. 
Home Jumps to the top of the display. 
End Jumps to the bottom of the display. 
Tab Moves to next panel. 


Shift Tab Moves to previous panel. 
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Searching and Jumping 


When you press F6 during display, you get a menu of display options 
superimposed on your current display. It includes several ways of searching and 


moving rapidly to particular frames (Figure 5-23). 


Jump to mark Jumps to the frame marked M. (If you haven’t marked a frame, the 
first frame is marked by default.) 


Jump to trigger Jumps to the frame marked T. 


Go to Frame To move directly to a frame whose number you know, select Go to 
frame nn. When you press Enter, the Sniffer analyzer opens an 
additional dialog box in which you can write the number of the 
frame you want. It won't let you ask for a frame whose number is 
larger than the number of frames in the buffer. 


Search for Text 


This is one of the display options. You reach it by pressing F6 while you have a 


display on the screen. 


rSUMMARY—Delta T—DST. 


Display 
Options 


DISPLAY OPTIONS ———— 


Go to frame nn 


< 


Search for text 


Search for pattern€ 


Jump to mark 
Jump to trigger 


J Summary 
x Detail 
More! 


<€ 
< 


Search summary lines or frame data for the specified text. 


Use the arrow keys to move, or ENTER to do this functio———= 


Text = 


In summary text 
In detail text 
In frame data 


1 3 Data 
Help display 


) 
Menus 


10 New 
capture 


Figure 5-23. Menu for requesting a text search. 


Move the highlight to the field that says Text = , and press Enter. The analyzer 
opens a dialog box headed enter text. Type up to 31 characters. The search is case 
sensitive. Press Enter to record the text you want to look for (Figure 5-24). Then 
choose a place to look— in the summary text, the detail text, or the text of the 
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frame data. (When you choose frame data as the place to look, you have the 
further choice of searching the text’s ASCII or EBCDIC representation.) 


To begin the search, move the highlight back to search for text, and press Enter. 
The Sniffer analyzer moves forward through the frames, searching for the text you 
entered. When you ask for a search in the summary or detail view, the search is not 
for characters in the frame itself, but for characters that appear in the analyzer’s 
interpretation. The analyzer generates the summary, detail, or hex display for each 
frame and searches it for characters that match your request. Figure 5-24 shows a 
request to search some LocalTalk frames for the phrase “Distance = 6” in the detail 
view. 


rSUMMARY—Delta T—DST SRC 


Go to frame nn 


1 = Search fpeNieR 1EAT —z 
DEW Jump to Se — 
Jump to Enter case-sensitive text to search for 


/ Summary or press ESC to abort 
J Detail 


Distance = 6 


—=se the arrow keys to move, or ENTER to do this functi 


Frame 2 of 150 
Use TAB to select windows 


il 
Help 


Figure 5-24. Dialog box to collect text to search for. 


Search starts with the frame following the one you are looking at and stops at the 
first match. If the search reaches the last frame in the buffer without finding a 
match, searching continues from the first frame in the buffer. If all frames have 
been searched without finding a match, the analyzer reports that and stops 
searching. 


(aed) - 
General 
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rSUMMARY—Delta T——-DST——SRC 

117 ~=©0.0004 DC +67 CTS (Clear to send) 

118 = 0.0127 67 = + ASP R GetStat LEN=318 

119 5.4809 FF  +DC a ee to send) 
MP 


814 Request to send 
122 =©0.0005 67 <+2C CTS Clear to send) 
123 «0.0011 DC +67 ASP C OpenSess WSS=253 Version=0100 
124 0.0204 67 =D RTS cause to send) 


125 0.0004 DC <67 CTS (Clear to send) 


\ 


Tuple 43 : Net = 1324, Distance 
Tuple 44 : i 
luple 49 : 
: Tuple 46 : Net 
RIMP: Tuple 47 : Net 
RTMP: Tuple 48: Net 


1589, Distance 
1078, Distance 


=e) 
, = 6 
Off, Distance = 0 
=) 
=e 
1080, Distance = 2 


i WA 


RT P: [Normal end of "RTMP Data ". ] 
Ps 


Frame 120 of 1 
Use TAB to select windows 


il 2 Set 4 Zoom 6Disply™/ Prev §8 Next 10 New 
Help § mark in options™ frame § frame capture} 


Figure 5-25. Frame found by search for text. 


When the search reaches the last frame in the buffer, it continues searching from 
the first frame. When the Sniffer analyzer finds the text you requested, it displays 
the message, found at frame nn. If the summary view is open, it highlights the 
frame. 


To repeat the search, press F6 again (to return to the display options menu) and 
then S (for search for text). The text you last searched for is still in the field marked 
text = . If you're searching again for the same text, just press Enter. Otherwise, 
replace the search text and then press Enter. 


Search for Pattern 


You can search for a frame containing a particular pattern. Figure 5-26 shows the 
menu for specifying a search pattern. The procedure is exactly the same as the one 
for specifying a pattern in the capture filter (see page 44 ff). 
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-SUMNARY—Delta 1 


DST 


rr 


2 


Go to framenn € Pattern = XXX... €) 
Search for text ¢€ Offset = 000 ¢ 
Search for patterns AND 
Jump to mark <€ | AND | OR 
Jump to trigger €} [POR Pattern = XXX... € 
J Match 3 ¢< Offset = 000 4 
/ Summary AND st 
Hexadecimal 


t 


ting entries= 


RTMP R NET=1289 Rou 
Match 


{L 
Poon match 
x Either offset 


OR 
Jv Match 4 


4 Character 


More! 


Use this match? 


(Press Enter to change the name. ) er 
—Press space to select (v) or not select (x); Alt-space inverts all. 
21 0.0004 DC +67 CTS (Clear to send) 
3 Data D 0 New 
Help display’ Menus capture} 


Figure 5-26. Specifying a pattern t 


Exporting a Report on Frames 


o search for. 


in the Capture Buffer 


You can generate a report on the frames in the capture buffer. The report can be 


sent directly to the printer, or to 


a file. The file can be formatted for printing or for 


input to another program (for example, to a spread sheet). 


Frames that pass your current d 


isplay filters are included in the report. The fields 


reported are those currently displayed on the screen. However, since the report 
isn’t confined by the size of a screen panel, it doesn’t exactly duplicate the layout 


you'd see on screen. Some scree 


n concepts are not relevant to reports. Reports do 


not represent colors or highlighting. 


Range of Frames Included in the Repo 


rt 


The report includes all displayable frames within a certain range. By default, the 
Sniffer analyzer assumes the range includes all displayable frames, from the first to 


the last. 
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¥ Summary >From first frame 
Cable Tester €| x Detail From frame 3 € 
Traffic Generator #| x Hex 
Capture filters x Two viewports >To last frame 
Trigger To frame 54 ¢€ 
Capture ¢ Filters 
Display ¢ Device LPT1 
Files Nanage names Device COM1 
Options File 
Exit ¢ 
X Delimited format 
/ Print page titles 
Page size=50 4 


Print the capture data to a device or file 
using the currently selected display formats. 
Use the arrow keys to move around in the menu 


il 3 Data 10 New 
Help display capture 


Figure 5-27. Options for printing to device or file. 


Alternatively, you can limit the range by setting the frame numbers of the first and 
last frames to be printed. A pair of radio controls flips between first or last and a 
specific number. The Sniffer analyzer automatically supplies its own initial frame 
numbers. It assumes you want frames lying between the marked frame and the 
current frame (Figure 5-27). (You mark a frame by pressing F2 while it is 
highlighted; if you haven’t set the mark, it’s on frame 1 by default. The current 
frame is the one now highlighted in the display.) 


To change the printing range, highlight the phrase from frame or to frame and 
press Enter. The analyzer opens a dialog box for you to supply a frame number. 


Sending a Report to a Printer or a File 


Printer port. Your report can be sent directly to a printer. It may be routed either to 
LPT1 (for a parallel connection) or to COM1 (for a serial connection). If you use the 
serial port, you will also have to specify the communication baud rate and the 
mode. See the discussion of these matters in your printer manual or in the DOS 
manual supplied with your Sniffer analyzer. 


Figure 5-28 shows a printed report from a StarLAN network. This report shows 
the summary view of frames 60 through 70. 
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Sniffer data collected on 2/1/87 at 13:31:24, file D:\SLDEMO\TDEMO.SLC, Page 1 


SUMMRY Rel Time Destination Source Summary 
60 -0.0090 Pine C .. CHampel DNS R ID=166 STAT=OK NANE=sail.stanford. edu 
61 -0.0068 Tamalpais Hampel ICMP Redirect (Redirect datagrams for host) 
62 -0.0046 Tamalpais Pine C .. ICMP Redirect (Redirect datagrams for network) 
63 -0.0026 CHampel Pine C .. DNS R ID=166 STAT=OK NAME=sail. stanford. edu 
M 64 0.0000 Pine C .. CHampel DNS R ID=166 STAT=OK NANE=sail.stanford. edu 
65 0.0022 Tamalpais Hampel ICMP Redirect (Redirect datagrams for host) 
66 0.0045 Tamalpais Pine C .. ICMP Redirect (Redirect datagrams for network) 
67 0.0065 CHampel Pine C .. DNS R ID=166 STAT-OK NAME=sail. stanford. edu 
68 0.0090 Pine C.. CHampel DNS R ID=166 STAT=OK NAME=sail. stanford. edu 
69 0.0110 Tamalpais CHampel ICMP Redirect nee datagrams for host) 
70 0.0123 Tamalpais Pine C .. ICMP Redirect (Redirect datagrams for network) 


Figure 5-28. Printed report of a summary view. 


File. When you export your report to a file, the analyzer opens a dialog box for you 
to write the filename. Initially, the dialog box contains the path but no name, The 
path shows the default drive and the current directory. You can overwrite those if 
you wish. Write your filename using no more than eight characters. Don’t include 
an extension; the Sniffer analyzer automatically attaches the extension . PRN for a 
printer file, or «CSV (“comma-separated values”) for a file in the delimited format. 
If the name you propose is already in use, the Sniffer analyzer warns you, you can 
abort the request or go ahead and overwrite the existing file. 


When you've established the destination, move the cursor back to the print menu 
item and press Enter to start the print process. 


Displayed on screen Sent to file or printer 


Summary shows a line for each protocol selected in the protocol or address level 
filters. 


A frame’s detail is visible in the lower | A frame’s detail follows its summary. 
panel while its summary is 
highlighted in the upper panel. 


A frame’s detail starts with the level Detail is limited to the protocols 


that is highlighted in the summary selected in the protocols filter. Detail 
view. However, you can scroll to see follows the summary for each frame, 
the interpretation of any protocol the with protocols in order from lowest to 
frame contains, regardless of display highest. 

filters. 


Figure 5-29. Treatment of summary and detail on screen and to a file. 


Content of the Exported Files 


In general, a report sent to the printer or to a file contains the same information 
you see on the screen, but without the restriction of the small panel. Detail sent to a 
file is treated differently from detail on screen. On screen, only a small amount of 
detail is visible, but you can scroll to any level. In an exported file, scrolling is not 
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an issue. However, in a file, detail includes only the protocols you request. See Figure 
5-29. 


Delimited Format for Export to a Spread Sheet 


When you select delimited format, the output is written as comma-separated values. 
In this format, each character field is surrounded by double quotes. A numeric 
field is written as ASCII characters without quotes. Successive fields are separated 
by commas. 


SUMMARY—Delta T—DST————SRC 


120 5.4869 15625.255 +15625, 220 DLC LAP type=DDP Short 
DDP D=15625, 255 S=15625. 220 Type 
HP R NET=1289 Routing entries= 
123 1.8709 1045. 20 +1289. 103 LC LAP type=DDP Long 
DDP D=1045. 20 S=1289.103 Type=3 
ATP C ID=2671 LEN=0 
ASP C OpenSess WSS=253 Version=0 
126 = =0,0222 1289.103 +1045. 20 DLC LAP type=DDP Long 
DDP D=1289.103 S=1045.20 Type=3 
ATP R ID=2671 LEN=0 NS=0 
ASP R OpenSess SSS=139 ID=49 ERR 
129 0.0028 1045.20 +1289, 103 DLC LAP type=DDP Long 
DDP D=1045. 20 S=1289.103 Type=3 
ATP D ID=2671 
132 0.0033 1045.20 +1289. 103 DLC LAP type=DDP Long 
DDP D=1045. 20 S=1289.103 Type=3 
ATP C ID=2672 LEN=0 
ASP CT 
135 0.0031 1289.103 +1045. 20 DLC LAP type=DDP Long 
DDP D=1 45,20 Type=3 


il 2 Set b oDisplyg/ Prev 8 Next 10 New 
Help @ mark Menus foptions§ frame § frame capture 


Figure 5-30. Portion of the summary display of a set of LocalTalk frames. Compare their 
CSV format in Figure 5-31. 


Comma-separated values is a format widely used for importing data to spread 
sheets. The file’s first line defines the fields. Each subsequent line is a record, 
containing the value of each field. A line of the exported file corresponds to a row 
of the summary view on screen. That is, the file has either one line per frame or one 
line per protocol level. 


When you turn off highest level only, a frame’s display may take several rows. On 
screen, a field that is the same for every row (for example, the frame number) is 
written only once, on the frame’s top row. That field is left blank in the frame’s 
later rows. However, in the comma-separated values file, every row is filled in, 
even when a field repeats the row above. Figures 5-30 and 5-31 show an example 
taken from a LocalTalk network. Figure 5-30 shows data as it appears on the 
screen, while Figure 5-31 shows a CSV file of the same data. 
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pase er 
See ee 
BO ANY, 
Pes | OS 
By 18, 
Hele) hoes 
et DOS, 
ew DG: 
tee 106; 
woe 128 
mw. 126; 


5. 4869, 
5. 4869, 
5. 4869, 
1.8765, 
1.8765, 


1.8765, " 


1.8765, 


0028, 


0033 


USS, 


0031, 
0031, 
0031, 
0031, 
0044, 


ooo ooo DS coo oc lo 2 Oo oo eS 


Oo 


0044, 
. 2662, 
. 2662, 
. 2662, 
. 2662, 
0, 2662, 
0.0028, 
0.0028, 
0, 0028, 
0.0035, 
0.0035, 
0.0035, 
0.0035, 
0.0194, 
0.0194, 
0.0194, 
0, 0194, 


oo eo 2 <2 


fa) 


0222, "1 
0222, "1 
0222, ' 
0222," 
0028, "1 
0028, "1 


0033, " 


0033, * 
0033, "1 


0044, "1 
0044," 
0044, “1 


"15625, 255 
"15625, 255 
"15625, 255 
"1045, 20 


"1289. 103 
"1289. 103 
"1289. 103 
"1289. 103 


"1045, 20 
"1289. 103 
"1289. 103 
"1289. 103 
"1289. 103 
"1289. 103 
"1045.20 
"1045, 20 
"1045, 20 
"1045, 20 
"1045, 20 
"1045, 20 
"1045. 20 
"1289. 103 
"1289. 103 
"1289, 103 
"1289. 103 


" 
, 


” 
, 


" 


"Flags", "Frame", "Delta Time", "Destination", 
" "15625, 220 
" "15625. 220 
"15625. 220 


"1289. 103 
"1289. 103 


, "1289. 103 
", "1289. 103 
, "1045. 20 
, "1045. 20 


", "1045, 20 


, "1045, 20 
, "1289. 103 


" "1289. 103 


, "1289. 103 
, "1289. 103 
", "1289. 103 
", "1289. 103 
, "1289. 103 
, "1045. 20 
, "1045. 20 
", "1045. 20 
, "1045. 20 
, "1289. 103 
, "1289, 103 


"1289. 103 


, 1289. 103 
, "1289. 103 
, "1045. 20 
, "1045. 20 
", "1045. 20 


", "1045, 20 


, "1045. 20 
"1289, 103 


", "1289, 103 
", "1289. 103 


", "1289. 103 


", "1289. 103 


", "1289. 103 
, "1289. 103 
", "41045. 20 


", "1045. 20 


, "1045.20 
, "1045. 20 


Source", "Protocol", "Summary" 

" "DLC"," LAP type=DDP Short" 

" “DDP", "D=15625, 255 S=15625,220 Type=1 (RTHP data)” 
" “RTMP","R NET=1289 Routing entries=48" 

" "DLC", " LAP type=DDP Long” 

" "DDP", "D=1045, 20 S=1289.103 Type=3 ATP)" 
" "ATP", "C ID=2671 LEN=0" 

" "ASP" "C OpenSess HSS=253 Version=0100" 
"DLC"," LAP type=DDP Long" 

" "DP", "D=1289. 103 S=1045.20 Type=3 (ATP)" 
" "ATP" "R ID=2671 LEN=0 NS=0 " 

" "ASP" "R OpenSess SSS=139 ID=49 ERR=0" 

" "DLC"," LAP type=DDP Long” 

" “DDP", "D=1045.20 S=1289.103 Type=3 (ATP)" 
* "ATP", "D ID=2671 ” 

" "DLC", " LAP type=DDP Long" 

" DDP", "D=1045.20 S=1280.103 Type=3 (ATP)" 
* "ATP" "C ID=2672 LEN=0" 

" "Asp", "C Tickle ID=49" 

" "DLC", " LAP type=DDP Long” 

" "DDP", "D=1289.103 S=1045.20 Type=3 (ATP)" 
" "ATP", "C ID=16531 LEN=0" 

" "ASP" "C Tickle ID=49" 

" "DLC"," LAP type=DDP Long" 

" "DDP", "D=1045.20 S=1280.103 Type=3 (ATP)" 
" "ATP" "C ID=2673 LEN=46" 

" "Asp" "C Command ID=49 SEQ=0 LEN=46" 

" "AFP" "C Login AFPVersion 1.1" 

" "DLC"," LAP type=DDP Long” 

" “DDP", "D=1289. 103 S=1045.20 Type=3 (ATP)" 
" "ATP" "R TD=2673 LEN=0 NS=0 (Last)" 

" "asp", "R Command RESULT=-5019 LEN=0" 

" "AFP", "R Error=Paramkrr " 

" "DLC"," LAP type=DDP Long" 

" “DDP", "D=1045. 20 S=1289.103 Type=3 (ATP)" 
ATP’ "DAD A26 13 © 
" "DLC"," LAP type=DDP Long" 

" “DDP", "D=1045, 20 S=1289.103 Type=3 (ATP)" 
, "ATP", "C ID=2674 LEN=0" 

" "asp" "C CloseSess ID=49" 

" "DLC"," LAP type=DDP Long" 

" “DDP", "D=1289. 103 S=1045.20 Type=3 (ATP)" 
" "ATP", "R ID=2674 LEN=0 WS=0 " 

" "ASP" "R CloseSess " 


Figure 5-31. A CSV file created with all levels of the summary display. 


(It isn’t illegal to ask for CSV format while reporting detail or hex views. However, 
the output is in CSV format only for the summary view. The CSV file includes data 
from the other views, but in the standard printer format.) 


ene 
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Page Titles 


Page Size 


If you check the page titles option, each page (whether written to a file or directly 
to the printer) starts with a heading. The heading specifies the date and time the 
data was recorded. It also shows the name of the network (when the file was 
captured live) or the name of the file (when the capture buffer was loaded from a 
saved file). At the far right, it shows the page number. 


There are two blank lines between the heading and the start of the data. 


Having page titles also causes explicit page breaks. When you select page titles, the 
Sniffer analyzer includes a form feed character after the last non-blank line of each 
page. 


You can’t use page titles with CSV format. 


When you select page titles, you can also set page size, the number of lines per 
page. By default, the number is 50. That is the total number of printed lines. For 
example, if you use headings, and accept the default of 50 lines per page you get 
the heading, two blank lines, and 47 lines of data. 


Since each page break is indicated by an explicit form feed, there is no separate 
setting for the physical length of the paper. 


Managing Names in the Displays 


To make its displays more readable, the Sniffer analyzer permits you to substitute 
names for numeric addresses. The menus offer several options to supply new 
names, modify existing names, or preserve the use of names. 


The Working Name Table 


To translate between the addresses and the names that appear in the display, the 
Sniffer analyzer refers to a name table. For each address, the name table contains 
three columns (see Figures 7—7 and 7-8, page 163 ff): 


* Address level. The protocol in which the address can occur. The list of possible 


address levels depends on the protocol interpreter suites you have installed. 
Station address. The sequence of bytes that constitute the numeric station address. 


Symbolic name. The word or phrase you have assigned to the address (blank, 
when you haven’t assigned one). 
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In the table, a station address never exists alone, but is always paired with a 
specific protocol. A symbolic name is thus an equivalent, not for an address alone, 
but for a particular pairing of protocol-and-address. 


Dynamic Nature of the Name Table 


Stage 1. 


Stage 2. 


Stage 3. 


Stage 4. 


Any time: 


A working name table contains two kinds of entries: 
Named protocol-and-address pairs. 
Unnamed protocol-and-address pairs (whose name field is therefore blank). 


The Sniffer analyzer sorts the table alphabetically by name. The unnamed 
addresses, having blank names, appear first. 


The working name table is built and used in several stages: 


Initialization. When it starts, the Sniffer analyzer initializes its working name table 
with names and addresses in the file STARTUP.xxD. (It omits addresses that lack 
names in the STARTUP file.) The Sniffer analyzer also inserts its own address and 
assigns itself the name This Sniffer. (It does that even when the saved table 
assigned the analyzer another name.) 


There is a maximum size for the working name table table. By default, it has room 
for 500 names. You can alter the table’s maximum size by editing the startup 
parameter maxstations (see Chapter 7, Sniffer Files, page 172). 


Capture. During capture, the Sniffer analyzer may use names already in the table 
to label displays (for example, the counts of source and destination pairs) but it 
does not revise the name table. 


First display. The first time you use display after a new capture, the Sniffer 
analyzer scans all the frames in the buffer for new addresses and puts new 
addresses into the working name table with blank names (see page 135). 


Display of particular frames. During display, each time the analyzer generates an 
entry for the summary or detail description of a frame, it checks whether the 
frame’s addresses are in the name table. It adds any address it finds up to the limit 
of 50 unnamed addresses at each level. 


Editing. Before or after any of these stages, you can edit the working name table. 
You can add new addresses, insert names for addresses, or edit any of the entries. 


Assigning Names to Addresses; 


You manage names by editing the working name table. There are several different 
routes: 


Edit. You can manually provide the symbolic name by editing the working name 
table. 
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* Resolve Names. Ask the Sniffer analyzer to search a previously-saved name file 


and to copy from it symbolic names for addresses that are unnamed in the working 
name table. 


Look for names. Certain protocols let stations exchange tables of names and 
addresses. When you ask the Sniffer analyzer to look for names, it scans the 
capture buffer for such messages and extracts names from them (see page 141). 


Saving the Name Table for Later Use 


When you ask the Sniffer analyzer to save names, it copies the current working 
name table to the analyzer’s startup file. Then each time you start the analyzer, the 
working name table is primed with the names in the startup file. 


When the startup file contains names that are no longer appropriate, you can edit 
them individually or clear them all out and start over; see the section that follows. 


The changes you make affect the working name table (in the analyzer’s main 
memory). When you exit the analyzer, it discards the working name table. (If you 
haven't saved the name table, the analyzer warns you that it’s about to discard it. If 
you want to save the name table, cancel the request to exit.) To record the names, 
before you exit, use the save names command to copy the working table into the 
startup file. 


Editing the Working Name Table 


When you select edit names, the Sniffer analyzer opens a dialog box showing the 
current name table (Figure 5-32). One line in the table is highlighted. You can 
scroll through the table to move the highlight or bring other names into view. 


The first time you use display, the analyzer scans for new addresses. If you have 
finished capturing but haven't yet displayed any of the captured frames, the name 
table has not yet been updated. If you want to assign names to addresses in the 
frames just captured, first display a few of the frames. Opening display makes the 
analyzer add new addresses to the working name table (see page 135). Then use 
edit names to give names to these addresses. 
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FEDIT NAME Level Address 

<New station> DLC 
<New station> IP 

DLC 0207010027C0 

DLC 02608C036367 

IP (36. 53. 0. 195] 
All Campus TP (36, 255, 255, 255] 
Cerberus IP (36.53. 0.10] 
Swanee IP 36.56. 0. 208 
Backbone A DLC 020702002BAr 
Backbone B DLC 020701002C60 
Broadcast DLC FFFFFFFFFFFF 
ClearView IP (36.54. 0,12] 
Fido DLC 40003011318 
Konig DLC 026080036310 
Tarpit IP (36.8.0. 47] 
Lundy IP He era a 
pda TP Here at 

Use y and T then press ENTER, or ESC to return. 


i 
Help 


Figure 5-32. Dialog box to edit the working name table. 


Each name consists of a pairing of level (that is, protocol) and address. For 
example, in Figure 5-32, the name Fido is attached to a station of level DLC and 
address AA0003 01121B. The name Tarpit is attached to a station of type IP and 
address [36.8.0.47]. 


To edit a name, move the highlight to the type-and-address pair you want to 
change, and press Enter. The Sniffer analyzer opens a dialog box to receive a new 
name (Figure 5-33). 


D } iwiate ha tot} | 
ace Th] oO fo ra’ On | 
| Press vel co aelete this Staclon. | 


Press ESC to leave it unchanged. 


Pee da at 
Press ESC to abor 


Figure 5-33. Dialog box to give a station a new name. 


At the top of the name table, there are lines marked <new station>. There’s always 
one for the DLC level, and also one for each level checked in the address level 
filter. When you highlight one of those and press Enter, the Sniffer analyzer asks 
for an address and a name. (If you select new station when setting a station address 
filter, the same dialog box appears.) 
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pEDIT NAMES 


Enter the new IP address of the station 
in the format [n.n.n.n], where each n < 256 


11. 22.33.44 


Enter the name of the new station: 


BIG TREE 


Press ESC to abort 


Figure 5-34. Dialog box to type a new station’s name and address;. 


Caution: When you insert a new name in this manner, the Sniffer analyzer revises 
the name list in working memory. It doesn’t update the stored file of names, so the 
revision is temporary. If you want to make the change permanent, select display in 
the main menu, then manage names, and finally save names. (For more details, see 
the discussion of Managing Names at page 136.) 


When you specify a name for a station that already had a name, your new name 
thereby replaces the former name. Within the name table, addresses must be 
unique. However, names don’t have to be unique; it’s permissible to assign the 
same name to different addresses.1 


Clearing the Name Table 


The option clear all names empties the Sniffer analyzer’s working name table, 
removing both names and addresses. Use this command when you want to start 
over, perhaps before resolving names from a name file or looking for embedded 
names within higher-level protocols in the capture buffer. 


Caution: Clear all names followed by save names would empty not only the 
Sniffer analyzer’s working name table but also the name table in the STARTUP file. 


The Sniffer Analyzer Scans the Capture Buffer for Addresses 


The first time you display captured frames following a new capture, the analyzer 
scans the entire capture buffer for addresses. During the scan, it notes all addresses 
at any of the levels checked in the address level filter. When it finds a new address, 
it adds it to the working name table . 


The name table has a maximum size. By default, it has room for 500 addresses. 
During its scan for new addresses, the analyzer stops adding addresses when the 


The level at which an address is considered part of the address. For example, 12345 as a DLC address isn’t the same 
as 12345 as an XNS address. 
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table is full. Also, it never adds more than 50 addresses at any level, even when 
there’s room for them 


When the buffer contains many frames, the search may take a few seconds; the 
analyzer displays a thermometer-style gauge showing percentage completion. 


Each address thus added has a blank name field. The analyzer sorts the address in 
alphabetical order by name. That puts the entries with blank names at the top of 
the list. When you edit names, it’s easy to see where additional names are needed. 


Taking Advantage of the Automatic Address Scan. 


When you expect to assign names to new high-level addresses, set the address 
level filter before you first display. That way the analyzer will automatically add 
up to 50 new addresses at each level; you have only to name them. 


However, if you start display without setting the address level filters, you can still 
get the analyzer to add new addresses to the table. Press F6 for display options, go 
to address level, and check the levels you want. Press F3 to return to display. As 
you browse through the captured frames, whenever the Sniffer analyzer displays a 
frame, it adds any new addresses at the levels currently marked with a Vv. This 
doesn’t scan the entire capture buffer, but it does add addresses from the frames 
you display. 


Caution: Addresses you haven’t named are temporary. If you execute save names, 
the analyzer purges addresses that remain unnamed. So if you want to keep a 
record of new addresses, assign each a name before you save names. 


Looking for Names within the Captured Frames 


Certain protocols (for example, Novell NetBIOS, or TCP DNS) let stations 
exchange tables of addresses and the names their users have adopted. When you 
ask the Sniffer analyzer to look for names, it scans the capture buffer for such 
messages. From them, it copies two kinds of entries to the working name table: 
(1) Names for addresses already in the name table without names; (2) Both name 
and address for addresses not in the table. This technique may find names or 
addresses for stations that weren’t themselves sending or receiving. 


Remember: Names found this way may be quite transitory. For example, you may 
find a name that a user assigned for a single work session. The user may move to 
another machine and assign the name to a different address. Because such names 
are so readily changed, you may not want to save a name table constructed this 
way; it may be wrong next time you use it. 


Resolve Names by Referring to External Dictionaries 


To help identify the addresses within a particular trace, you may have the Sniffer 
analyzer look up names from an external file. When you ask it to resolve names, 
the analyzer opens a dialog box showing a list of files that it recognizes as 
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dictionaries. You select one of them in the usual way: by moving the highlight to 
its name and pressing Enter. 


The Sniffer analyzer checks its working name table for addresses you haven't 
named. Then it searches the name file you indicated. If it finds a name in the file 
for an address that’s not yet named in the table, it inserts it. During the rest of the 
current work session, the analyzer (as usual) displays the symbolic equivalent from 
the name table in place of the hex address. 


Because resolve names adds names only for unnamed addresses that are already 
in the working name table, it never overwrites names already there and it never 
adds new addresses to the table. 


(Note that the working name table is discarded when you exit from the Sniffer 
analyzer. To preserve the names you have added, execute save names to copy the 
working name table into the startup file. This saves names and addresses, but 
discards addresses that lack names.) 


Importing a Name File 


You can import a name file or construct your own with a text editor. Once you 
have the additional dictionaries, the resolve names command can search them for 
names to go with addresses in the working name table. 


For the analyzer to recognize and use a name file, the file’s name must have an 
identifying extension and its text must be in a standard format. The name file’s 
name and format are described in Chapter 7, see page 162. 


Total Size of the Name Table 


The Sniffer analyzer sets a limit on the size of the name table. Ordinarily, the limit 
is 500 names. However, you can make the name table larger by changing the 
startup parameter MAXSTNS=500 to something else. (See the discussion of startup 
parameters at page 172.) 


Files of Saved Frames 


The Sniffer analyzer permits you to save all or part of the contents of the capture 
buffer to a file. Or, you can load the capture buffer with frames from a previously- 
saved file. By loading previously-saved frames, you can examine frames captured 
at another time or place, or frames sent to you for study. This procedure also lets 
you examine the sample frames supplied with the Sniffer analyzer. 


Loading a File of Previously-Saved Frames 


To view a list of previously-saved files for loading into the capture buffer, first 
select files, then load, and then data. 
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When you press Enter, the Sniffer analyzer shows you a list of previously-saved 
capture files and directories. The list is in alphabetical order. A capture files has an 
extension consisting of the network's two-letter abbreviation and the letter C. You 
only see files from the network for which your analyzer is now configured 


The notation .. <DIR> in the top row indicates the directory one step nearer the 
root directory. Other entries with <DIR> indicate sub-directories. To see the list of 
files in a directory, highlight its name and press Enter. Use the Cursor Up or 
Cursor Down key to move the highlight to the file you want. Alternatively, to 
jump directly to a part of the list, type a letter from the keyboard. The highlight 
moves to the next entry starting with that letter. 


When you ve highlighted the name of the file you want, press Enter to load it. 


Saving a File of Frames 


While you have frames in the capture buffer (either because you just captured 
them, or because you loaded them from a file), you can select files/save/data. You 
can save: 


* Everything in the capture buffer. 
or 
* Only those frames that pass your current display filter. 
or 
* Only frames within a particular range. (You set the range of frames to be saved in 
the same way that you set the range of frames to be printed.) 


You indicate your choice by supplying values for from and to and by deciding 
whether to check filtered only, as appropriate (Figure 7-8). The default frame 
numbers (in Figure 5-35, frame 10 and frame 28) are those between the marked 
frame and the current frame. 


(RemoR) 143 


Sniffer Network Analyzer Operations Manual 


>From first frame 
From frame 10 4 


Load 

ig last frame 
Change path ¢ Setups < | To frame 28 ¢€ 
Delete data file ¢ 

Make directory 4 x Filtered only 


Save capture-buffer data to a disk file. 


Use the arrow keys to move, or ENTER to do this function 


3 Data 10 New 
Help display capture 


Figure 5-35. Menu to save captured frames to a file;. 


Deleting a File of Saved Frames 


The files menu also offers you the option to delete a file of saved frames (Figure 7— 
8). When you highlight delete and press Enter, the analyzer opens a dialog box 
showing the names of files of saved frames, in much the same way as it shows a 
list of files to be loaded (see page 142). The list includes only capture files related to 
the network you are now using. 


Pressing Enter while the name of a file is highlighted indicates that you want to 
delete it. The analyzer opens a dialog box headed Warning with the message 
Deleting: followed by the name of the file. You can press Enter to go ahead and 
delete the file, or Escape to return to the list of data files without deleting it. 


Saved Setups 


Your “setup” is the particular constellation of display options, filters and controls 
you're using. You can save the setup to a file. Later, you can load that file, thereby 
restoring all those options to the values they had when you saved the setup. 


To save your current setup, select files, then save, then setup. The analyzer asks 
you for the first part of the name and automatically supplies the extension xxS. 
You may choose any name. If the name you choose is already in use, the Sniffer 


analyzer warns you and lets you either escape (and choose another name) or 
overwrite the existing file. 
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Contents of a Setup File 


The setup file records each option settable by a check mark or a radio control. 
Some items set in other ways are also included, but some are not. 


* Included ina setup file are: 


General options (for example, whether to have audible clicks). 


Capture options (for example, whether to display skylines or meters, whether to 
show individual or pairwise counts). 


Capture filters (including source and destination addresses, and pattern match 
logic together with the individual patterns and their offsets). 


Trigger options (including options for stopping capture and pattern match logic 
together with the individual patterns and their offsets ). 


Display options (including views and levels). 


Display filters (including source and destination addresses, and pattern match 
logic together with the individual patterns and their offsets). 


Printer options (including whether to send output to a printer or to a file, 
whether to include headings and page numbers). 


* Excluded from a setup file are: 


The path you may have set for locating the directory of files to be loaded or 
saved; that can be recorded by the set path command. 


The capture buffer; that can be saved independently by the command sequence 
save and then data. 


The name table; that can be saved independently by the command sequence, 
manage names and then save names. Your setup may refer to addresses (for 
example, in station address filters). However, the setup file stores numeric 
address but not the associated names; names are only in the name table. 


Using a Saved Setup File 


When you first start the Sniffer analyzer, it checks for the existence of a file called 
STARTUP.xxS. If it finds such a file, it treats it as a setup file and loads it 
automatically. Otherwise, it uses the analyzer’s standard defaults. 


To activate a saved setup manually, go to the files menu, then load, then setup. 
The Sniffer analyzer opens a dialog box showing you a list of saved setup files. 

Select one and press Enter (Figure 7-7). When it loads the setup file, the Sniffer 

analyzer sets all options the way the setup file specifies. 
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Chapter Overview 


Two modules permit you to operate the Sniffer analyzer from a remote computer. 
TeleSniffer uses an IBM PC or compatible as the controller. SniffMaster currently 
uses a Sun workstation. This brief chapter summarizes and compares their 
characteristics. 


Features of TeleSniffer and SniffMaster | 


During remote operations, a Sniffer analyzer receives its instructions from the 
keyboard of another machine and delivers its displays to the controlling machine’s 
screen (as well as to its own). You install the Sniffer analyzer on a network in the 
usual way. It has the same facilities it would have if it were operated locally. It acts 
as though its keyboard and screen were on a very long cable — perhaps long 
enough to operate the analyzer from the other side of the country. 


There are two different facilities for remote operation: SniffMaster and TeleSniffer. 
(See Figures 1-8 and 1-9, page 12.) Figure 6-1 compares the two. Each has its own 
manual, which you should consult for detailed instructions. 
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SniffMaster TeleSniffer 
Remote device (for | A Sun workstation on a network. An IBM-compatible PC. 
control and display) 
pes From the analyzer’s serial port: ee 

Communication * to the serial port of a terminal handler From the analyzer’s serial port to the 
link on a network and thence through serial port of the remote PC (via 

whatever networks link the terminal | odem or direct link). 

handler to the workstation, or 

* to the controlling workstation’s serial 

port (directly or via modem). 

Hardware: Modem (when used over a communications line) or modem-eliminator (when 


at the analyzer 


at the remote 
controller 


directly cabled) attached to the Sniffer analyzer’s serial port. 


Matching hardware for the hardware used at the Sniffer analyzer. 


Software: 
at the analyzer 


at the remote 


SniffMaster host software supplied with 


the analyzer (already installed). 


—— | 


TeleSniffer host software supplied 
with the analyzer (already installed). 


SniffMaster remote software (included 


TeleSniffer remote software is 


controller with purchase of SniffMaster host supplied with the analyzer. Copy it 

software) installed on a Sun workstation | from the analyzer’s hard disk to the 
that has SunView. hard disk of the remote PC. 

Work of the remote | Runs ina window. Other activities The task of running the Sniffer 

controller (including other remote Sniffer sessions) | analyzer requires the PC’s exclusive 
may run in other windows. attention. 

Other capabilities Execute a subset of DOS commands 

on the analyzer; transfer files. 
Figure 6-1. Features of SniffMaster and TeleSniffer. 
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Chapter 7. The Sniffer Analyzer’s Use of Files 


Chapter Overview 


This chapter describes: 


¢ Files that the Sniffer analyzer uses and the directories that contain them. 
© The internal format of files used to store name tables, setups, and saved traces. 


- Parameters passed to the Sniffer analyzer at startup that affect its operation. 


During everyday use of the analyzer, you should have little or no need for the 
information in this chapter. However, knowledge of the file organization may 
prove useful when you back up Sniffer files to another device or import files from 
somewhere else. This chapter presumes a familiarity with the naming and storage 
conventions of the DOS file system. 


Knowledge of the internal format of files or the Sniffer analyzer’s startup 
parameters will probably be useful only to experienced programmers with special 
projects or equipment. 


File Names 


Under the DOS operating system, a file’s name is composed of two parts. The two 
parts are separated by a dot. The first part (sometimes called the base name) may 
contain up to eight characters. The second part (called the extension) consists of 
three letters. (Omitting the dot and the letters that follow it has the same effect as 
writing a dot and three blanks.) 


Certain extensions have special significance to DOS. For example, an executable 
file has the extension .EXE, .COM or .BAT; DOS won't execute a file whose name has 
some other extension. Figure 7-1 shows some of the extensions that occur in files 
used by the Sniffer analyzer. The first two of these are standard DOS conventions, 
while the others are more specific. 
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Extension File type 


-EXE Executable file. The extension may be omitted from the DOS 
command that invokes its execution. 


-BAT Batch file (an executable file consisting of commands in the DOS 
shell language). The extension may be omitted from the DOS 
command that invokes its execution. 


-PRN Output file generated by a report generator for printing (whether or 
not sent directly to a printer). 


-CSV Output as “comma-separated values,” intended as input to a spread 
sheet. 


-TXT Script used to generate the selection menu; used by the executable 
file MENUX.EXE. 


-MNU Menu script to generate an analyzer’s entry in the selection menu. 


-CFG Configuration script describing the protocol interpreter suites for a 
network. 


-HLP Help file to explain choices in the Sniffer analyzer’s menus. 


Figure 7-1. Extensions in Sniffer file names. 


Each Sniffer analyzer (that is, each executable file that operates an analyzer for a 
specific network) also uses files that are specific to its network. Each of these files 
has a name whose extension classifies it by use and by network. The first two 
letters of the extension indicate the network, and the last letter indicates the type of 
file. For example, if you’re working on PC Network and save the capture buffer to 
a file called MYDATA, the analyzer assigns it the extension .PCC (PC Network 
captured frames). Letters used in extensions are listed in Figure 7-2. 
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First Two Letters Last Letter 
| 
EN Ethernet C Captured frames 
TR Token Ring S Setup (values of options used in 


operating the analyzer). 
LT LocalTalk 
D Station names (file of symbolic 


AR ARCNET equivalents for numeric addresses). 
SL StarLAN I IDs (symbolic equivalents for the 
manufacturer codes within numeric 
SY WAN/Synchronous addresses). 
PC PC Network T Type (used by Sniffer Network Monitor 
(broadband) for symbolic equivalents for types of 
DLC frames) 


p1 PC Network 
p2 at specific frequency 
P3 pairs 


B_ Binary type (used by Sniffer Network 
Monitor summaries of network activity) 


Figure 7-2. Letters used in the extensions of files for specific networks. 


Names for the Sniffer’s Executable Files 


You don’t ordinarily see the name of the Sniffer analyzer’s executable files. That's 
because you start work by moving the highlight to one of the entries in the 
selection menu. An item in the menu describes an analyzer (for example “Token 
Ring Analyzer”) but doesn’t show you the name by which DOS identifies the 
executable file. For each analyzer listed in the menu, there’s a separate executable 
file. Each executable has a name that encodes the network on which it runs and the 
protocol interpreter suites it includes. The name is constructed as follows: 


The first two letters indicate the network in the way shown in Figure 7-2. Those 
two letters are always followed by the letters SN. The next four positions are used 
to encode the protocol interpreter suites that are linked into the executable file. 
This encoding may use any of the characters 0-9 or A-V. It permits any 
combination of protocol suites to be given a unique name. For example, an 
Ethernet analyzer with interpreter suites for DECnet, TCP/IP and ISO has the 
names ENSN2000.EXE. A token ring analyzer with the same suites and also the IBM 
protocol suite has the name TRSNIOO0.EXE. 
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Directories 
Figure 7-3 summarizes the principal directories on the Sniffer analyzer’s hard disk 
(drive C). 
ROOT 
AUTOEXEC.BAT 
CONFIG.SYS 
DOS 
CONFIG 
Present only when 
! we you have the 
TOOLS Configuration Utility 
Qc2 LIB 
BIN 
The Sniffer analyzer 
has an XXSNIFF directory 
XXSNIFF for each installed network. 
[amr 
HELP 
NEWPI 
CAPTURE Each xxSNIFF directory 
contains executable files 
| REPORTS | for the Analyzer and 
for the Monitor. 
| SAMPLES | It also contains directories 
HELP and NEWPI that are 
specific to the network. 
TELESNIF 
HOST 
REMOTE 
SNIFMAST 
HOST 
| REMOTE 


Figure 7-3. Directories on the Sniffer analyzer’s hard disk. 


The root directory contains the files AUTOEXEC.BAT and CONFIG.SYS. The computer 
refers to them automatically each time you reset the machine or turn on power. 
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The Sniffer analyzer’s AUTOEXEC file establishes the path: that is, the list of 
directories in which the operating system searches for executable files. The 
AUTOEXEC file invokes the selection menu. From there, you select one of the 
Sniffer analyzer’s major functions. 


DOS Directory 


The DOS directory contains all of the operating system files (except the few that are 
in the root directory). The path includes the DOs directory, so the operating system 
looks there to find its own files. Normally, you won't need to make any changes to 
files in the DOS directory. 


CONFIG Directory 


The CONFIG directory contains scripts that generate the Sniffer analyzer’s main 
menu and the menu of the configuration utility. 


Menu files. Each executable file is accompanied by a menu file whose name is the 
same but has the extension .MNU rather than .EXE. The executable file reside ina 
directory for its network, but all .MNU files reside in the \CONFIG directory. For 
example, the executable file TRSNIO00.EXE (in the directory \TRSNIFF) is 
accompanied by the menu file TRSNIO00.MNU (in the \CONFIG directory). 


The analyzer uses the various menu files to generate entries in the main selection 
menu. Each menu file is responsible for one analyzer’s entry in the selection menu. 
The .EXE files and the .MNU files are already supplied by Network General. When 
the configuration utility generates a new executable file, it automatically generates 
the corresponding .MNU file as well. Similarly, when it deletes an executable file, it 
also deletes the corresponding .MNU file. 


Configuration files. For each of the analyzer’s network interface cards, there is a 
configuration file. Its name is formed from the two-letter network abbreviation, the 
letters SNIFF, and the extension .CFG (for example, for Ethernet, ENSNIFF.CFG). The 
configuration utility uses the .CFG file to generate its menu (described in Chapter 
8). The menu lists all the protocol interpreter suites that (a) can be used with the 
network and (b) have been installed in the analyzer. From the resulting list, you 
select the particular protocol interpreter suites for a new executable file. 


TOOLS Directory 


The TOOLS directory contains the program that generates the Sniffer selection 
menu, and various other utilities that it invokes. The analyzer’s DOS path directs 
the operating system to the TOOLS directory, so you won't usually need to make 
explicit reference to it. 


On an analyzer that has the configuration utility, the tools directory has a sub- 
directory QC2. It contains the Microsoft Quick-C compiler, and its sub-directories 
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LIB and BIN. You'll need these if you generate your own protocol interpreters (as 
described in Sniffer Network and Protocol Reference). 


XXSNIFF Directories 


Your analyzer’s hard drive has a directory for each installed network. Each of these 
directories has a name formed from the two-letter network abbreviation, followed 
by the letters SNIFF. For example, if your machine has an ARCNET and a LocalTalk 
analyzer, you have directories called ARSNIFF and LTSNIFF. 


For PC Network, the directory’s name is PISNIFF, P2SNIFF, P3SNIFF or P4SNIFF, to 
match the particular frequency combination of the network interface card. If you 
have PC Network NICs for different frequencies, each has its own directory. 


CAPTURE Directory 


The CAPTURE directory is where the Sniffer analyzer ordinarily saves files of 
captured frames. Even if you have several different xxSNIFF directories, each with 
its own executable file, they all use the same CAPTURE directory. (However, when 
you load a saved file, the menu shows you only files that match the network you 
are currently using.) 


Within the CAPTURE directory, there are two sub-directories. CAPTURE \SAMPLES 
contains trace files from various networks. Some of the examples in this manual 
are taken from files in the SAMPLES directory. CAPTURE\REPORTS contains report 
scripts used by the Sniffer Network Monitor. 


Several directories for CAPTURE files 


To keep various sets of captured data separate (for example, data collected from 
different networks or under different circumstances), you may want to set up 
different directories to contain the files. The batch file that starts the Sniffer 
analyzer makes \CAPTURE the current directory. 


Creating a new directory. When you're about to save some files, you may wish to 
create a new directory to contain them. You can do that without leaving the Sniffer 
analyzer. On the files menu, select make directory. When prompted, type the 
name of the new directory. 


Setting the path to a directory for saved capture files. When the files you want to 
work with are in a directory different from the current directory (that is, different 
from the directory from which you started the Sniffer analyzer ), you can establish 
a path to the directory you want. To change directories, follow these steps: In the 
files menu, select change path. When the analyzer opens a dialog box, type the 
complete path to the directory. That’s where the Sniffer analyzer will look first 
when you ask it to load or save a file. 
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Names for Files of Captured Frames 


A data file created by saving frames from the capture buffer is called a capture file 
(or sometimes a trace file). It has the same internal format as the capture buffer; 
you cannot read a capture file as text. 


When you create a data file, assign it any name you wish in eight letters or fewer. 

The Sniffer analyzer automatically supplies the name’s extension (the three letters 

following the dot). The extension consists of the two-letter network code followed 
by the letter C for “capture.” The codes are shown in Figure 7-4. 


WAN/ Token Ethernet PC ARCNET | StarLAN | LocalTalk 
Synchronous Ring Network 


Figure 7-4. Extensions in the names of capture files. 


Storage of Setups and Name Tables 


For information about names or setups, the Sniffer analyzer refers to three kinds of 
files. Each type has a characteristic extension. As described in Figure 7-2 (page 
155), the extension consists of the two-letters network abbreviation (EN for 
Ethernet, SY for synchronous, TR for token ring, and so on) and a final letter to 
indicate the type of file. Each time the Sniffer analyzer starts execution, it refers to 
one or more of these. (Some networks use more than others.) The types of files are 
listed in Figure 7-5. 


File Name Contains Used to Set Used by Analyzer for which Network? 

STARTUP.xxD | File of The analyzer’s | Any network. As distributed, the file 
symbolic working name | contains only standard broadcast addresses. 
names for table. You may add to it (manage names) and save 
addresses. the revision (save names) 

STARTUP.xxI | File of manu— | The analyzer’s | Any network that uses 6-byte station 
facturer IDs table of manu-| addresses. 
and names. facturer IDs. 

STARTUP.xxS | Setup table. The analyzer’s | If you have created a file called STARTUP.xxS, 

or captureand | any network loads it initially. Setup files are 
anyname.xxS display created and named by save setup; any setup 
options. file may be activated by load setup. 


Figure 7-5. Files referred to at startup.. 


Each time you start a Sniffer analyzer, the software automatically checks for the 
presence of the startup files it needs. It looks for them in the \CAPTURE directory. If 
it finds them, it uses them to set its working name table, or to initialize the 
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analyzer’s filters and settings. If the analyzer doesn’t find a file it needs, it uses a 
default setup or an empty name table. 


Saving Setups and Names to a File 


The three types of files (name files, manufacturer ID files, and setup files) have 
different mechanisms for loading and saving. These mechanisms are summarized 
in the paragraphs that follow and in Figure 7-~. In the figure, a gray arrow 
indicates automatic loading each time the analyzer is started. A black arrow 
indicates that a file that you can load or save upon command. 


Working Name Table 


Manufacture IDs 


Setups 


The options resolve names, and look for names merge new names 
into the existing working name table. 


The option save names rewrites the file startup.xxD. The revised 
file is automatically used the next time you start the analyzer. 


There is no provision to edit this table from within the Sniffer 
analyzer. If you use a text editor to alter the content of STARTUP.xx1, 
the changes will take effect next time you start the analyzer. 


The option save setup permits you to save the current setup ina 
named file. 


The option load setup opens a dialog box from which you may 
select a stored setup file. When you load a setup file, the settings in 
the file replace the current active setup. 
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Sniffer Software 


VWORKING Arora 
at 


initialization 


| UNAMETT. xx$ 


| 
STARTUP. xx1 | | 
______| §TARTUP. xx 


STARTUP. xxD 


Figure 7-6. Stored files and working copies of name tables and setups. 


Modifying the Default Setup 


To alter the analyzer’s initial setup, save your setup under the name STARTUP. 


The Sniffer analyzer does not require a file called STARTUP.xxS and Network 
General does not provide one. However, the Sniffer analyzer always checks for the 
presence of a file called STARTUP.xxS and loads it if it exists. When the analyzer 
asks you to name your setup file, if you reply STARTUP, the file thus named will be 
loaded automatically each time you start the analyzer. (If you assign some other 
name, the file becomes active only when you load it.) 


Restoring the Setup to Network General’s Defaults 


Suppose you have been using a customized setup and wish to revert to the default 
setup with which Network General shipped the analyzer. You can do that in either 
of two ways, one lasting and the other temporary. 


Lasting: Exit to DOS. Rename the file STARTUP.xxS (preserving the extension, 
but changing startup to anything else). The DOS command is 
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rename startup.xxS oldstart.xxs 
Each time you start the analyzer thereafter, finding no file called 
STARTUP.xx S, it uses its standard defaults. 


Temporary: While running the analyzer, go to the files menu, then load, then 
setup. Choose the setup filled called DEFAULTS.xxS. It contains a 
duplicate of the analyzer’s default settings. When you load this file, it 
restores the default setup, but this will not affect the initial setup the 
next time you start the analyzer. 


Name Tables 


Procedures for assigning names to stations are described in Chapter 5, starting at 
page 136. This section describes the format of files that contain name tables. 


While it runs, the Sniffer analyzer uses an internal directory called the working 
name table Each time you start the analyzer, it initializes the working name table by 
reading from the file STARTUP.xxD. 


To locate the file STARTUP.xxD, the analyzer looks in the current directory. The 
batch file that starts the analyzer normally makes \CAPTURE the default directory, 
so the file is \CAPTURE\STARTUP.xxD. 


You may have additional reference files of names and station addresses. These are 
basically renamed copies of a startup file. The new name must be something other 
than STARTUP, but must have the same extension as a startup file. You can have the 
analyzer consult these additional name files by the resolve names command 
(page 141). The analyzer then opens a dialog box in which you may select one of 
the name files to consult. Initially, it shows you files in the current directory 
(\CAPTURE), so it’s usually convenient to store such files in that directory. The 
dialog box permits you to move to another directory, so it is also possible to store 
name files elsewhere if you prefer. 


In all cases, the extra name files are used as a source of names to fill blanks in the 
working name table. There is no command to load an entire substitute name file 
the way you load a setup.1 


Building Name Files 


A name file is identified by an extension consisting of the two-letter network code 
followed by the letter D. There are two principal ways to generate a name file: by 
saving and then renaming the working name table, and by writing a name file 
from scratch with a text editor or other program. 


If you wish to maintain several independent name files, use DOS commands to give them arbitrary names. Before 
you start the analyzer, assign the name STARTUP.xxD to the one you wish to be active. 
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Copy and rename the working name table. Using the various commands in the 
mange names menu to put the information you want into the working name table 
(as described in Chapter 5). Then: 


* Execute the command save names. The analyzer saves a file called 
startup.xxD. 


¢ Exit from the Sniffer analyzer and return to DOS. 


» Atthe DOS prompt, copy the file STARTUP.xxD, giving it a new name but 
with the same extension. 


Write a name file with a text editor. Alternatively, you can build your own name 
files directly. This section describes a name file’s internal format. 


All name files have the same format, which applies both to the file called 
STARTUP.xxD and any other name files you may use as sources. Figure 7-7 shows 
part of a name file. Since a name file is a standard ASCII file, you can use any text 
editor to build or modify it.1 


station "Broadcast" 
station "Error Log" 
station "ipS1" 
station "ipS2" 
station "ipS3" 


addrtype "DLC" COOOFFFFFFFF 
addrtype "DLC" C00000000008 
addrtype "IP" [36.10.0.13] 
addrtype "IP" [36.11.0.14] 
addrtype "IP" [36.11.0.23] 
station "ipS4" addrtype "IP" [36.2.0.5] 
station "ipS5" = addrtype "IP" [36.22.0.20] 
station "Long, 31-Character Station Name" = addrtype "DLC" 400000000002 
station "Mary" = addrtype "DLC" 10005A0033BF 
station "This Sniffer" addrtype "DLC" 48000A000001 
station "Tom" addrtype "DLC" 10005A002FEB 
station "Faquard" addrtype "XNS" 08000AC7CEFE 


Figure 7-7. Sample name file. 


For convenience during subsequent display, the save names command sorts the 
rows of the table alphabetically by name. However, the Sniffer analyzer does not 
require a name file to be in alphabetical order. 


The following features of a name table are illustrated in Figures 7-7 and 7-8. 


* Type. Each line starts with a word or symbol that identifies its type. The three 
types are distinguished by the following as their first non-blank characters: 


station The balance of the line describes one station’s name and address. 


addrtype The balance of the line sets the default address type (protocol) that 
applies to subsequent lines that don’t include it explicitly. 


/* A line that starts with /* and ends with */ is a comment and is not 
executed. 


1 The only editor supplied with the Sniffer analyzer is EDLIN, supplied as a part of DOS. But it’s a simple matter to 
use any editor of your own. 
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* Name. The station’s name to the right of the word station. The name must be 


enclosed in double quotes. 


* Address type. Each address must be assigned to a specific type (that is, protocol). 


The type can be stated in either of two ways: 
Explicitly for each address, by including the phrase 
addrtype "DLC" 


to the left of the address (as shown in Figure 7-7). A name file generated by 
save names is entirely in this form. 


Implicitly, using the current default type (Figure 7-8).An address that has no 
explicit type is presumed to belong to the current default type. The default type 
is initially "DLC". The default type is set by each use of addrtype, a remains in 
effect until another addrtype. 


Address. The address follows an = sign. An address is not enclosed in quotes. Each 
address is written in a form appropriate to its type (the same way the Sniffer 
analyzer displays it in the detail window). For example, a 6-byte DLC address is 
written as 12 hexadecimal digits. A 4-byte IP address is written as four decimal 
numbers separated by dots and entirely surrounded by square brackets. A 1-byte 
DLC address on LocalTalk is shown as two hex digits, or on ARCNET as either 
two hex digits or three octal digits (with leading zeros). 


Name table with default types. Figure 7-8 shows the same information as Figure 
7-7, but makes use of default types. To improve readability, the file may contain 
redundant blanks or blank lines, as well as comments. 


station "Error Log" C00000000008 

addrtype "IP" 
station "ipS1" 
station "ips2" 


station "ips3" 


[36.10.0.13] 
[36.11.0.14] 
[36.11.0.23] 


noutoutt to nou 


station "ips4" [36.2.0.5] 
station "ips5" [36.22.0.20] 
station "ipS6" [36.26.0.54] 
station "ipS7" [36.26.0.56] 
addrtype "DLC" 
/* Long name inserted as a test */ 


station "Long, 31-Character Station Name"=400000000002 


station "Mary" = 10005A0033BF 

station "This Sniffer" = 48000A000001 

station "Tom" = 10005A002FEB 
addrtype "XNS" 

station "Faquard" = 08000AC7CEFE 


Figure 7-8. The name file of Figure 7-7 rewritten with default types. 
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Assigning One Name to Multiple ARCNET Addresses 


On the ARCNET Sniffer analyzer, a special naming rule lets you assign the same 
name to several addresses. Then the Sniffer analyzer treats those addresses as a 
single address. You can use the name in capture or display filters as a shorthand 
for a set of addresses. 


Here’s a situation where this might be useful. To enhance its input/output 
capacity, a large file server has two adapters on the same network. By assigning a 
common name to the two addresses, you can collect data for the server as a whole 


station "->Fedora” 
station "Broadcast" 
station "Galloway" 
station "Fedora" 
station "->Fedora" 


addrtype "DLC" 22 
addrtype "DLC" 00 
addrtype "IP" [36.54.0.12] 
addrtype "DLC" Dl 
addrtype "DLC" 24 


Figure 7-9. Assigning one name to several physical addresses on ARCNET. 


Figure 7-9 shows the format for assigning the name Fedora to three addresses. 
First, assign the name to one of the addresses in the usual way. In Figure 7-9, the 
fourth line assigns Fedora to DLC address D1. Edit the name table to assign the 
name Fedora to DLC addresses 22 and 24 also. However, for these stations, insert 
an arrow in front of the name. (The arrow is formed by a hyphen and a right angle 
bracket like this ->.) These alias names may be assigned by editing the name file 
(as shown) or by inserting them manually by way of the edit names menu. 


As long as the name table contains these names marked with ->, the analyzer 
displays traffic to any of the three addresses as if it were traffic to D1. 


You can assign a common name to any number of physical addresses . One of 
them must be named in the usual way. The others have the same name preceded 
by an arrow. 


Despite the common name, each address maintains its own distinct hex or octal 
address. After capture, you can edit the name table and reanalyze the data using 
the true addresses. The data you collect and save to files always retains the true 
address. 


Alphabetization of Station Names 
The order of entries in a name file doesn’t matter. 
When the Sniffer analyzer builds and displays its working name table, it shows the 


list in alphabetical order by name. Addresses that you haven't named (and 
therefore have blank names) appear at the top of the list. 
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Each time you edit a name in the working name table, the Sniffer analyzer re- 
alphabetizes the list. When you save names, the saved file preserves the order of 
the working name table (but discards entries that aren’t named). 


Table of Manufacturer ID Codes and Abbreviations 


On most LANs, an address consists of six bytes. The first three represent the 
manufacturer. The analyzer attempts to represent the first three bytes by a six- 
character abbreviation of the manufacturer’s name. The address then appears as 
six characters of manufacturer abbreviation followed by six characters of 
hexadecimal, for example Intrln031EF7. 


The table of manufacturer codes and names is located in the file STARTUP. xx1, 
where xx is the two-letter code for the network, and I indicates the ID table. The 
file’s internal format is illustrated in Figure 7-10. The figure shows the content of 
the file STARTUP.xxI for a network that transmits least-significant-bit first. (For 
compactness, the lower part of the table is shown here with three entries per line. 
In the file, each has a line of its own.) 
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/* Sniffer table of assigned manufacturer IDs. */ 
/* This is for networks where the LSB is sent first, such as */ 
/* Ethernet, StarLAN, and PC Network. Note that we've put in here */ 
/* what we actually see in the real world, not what IEEE would like*/ 
manuf "VisTec" = 000022 /* Visual Technology, Inc. */ 
manuf "NwkGnl" = 000065 /* Network General Corp. */ 
manuf "Prteon" = 000093 /* Proteon (bit-reversed from token ring!)*/ 
manuf "Amrstr" = 00009f /* Ameristar Technology */ 
manuf "Wllflt" = 0000a2 /* Wellfleet */ 
manuf "NCD "= 0000a7 /* Network Computing Devices, Inc. */ 
manuf "NSC "= 0000a9 /* Network Systems Corp. */ 
manuf "RND "= 0000b0 /* RAD Network Devices Ltd. */ 
manuf "Cimlin" = 0000b3 /* CIMlinc */ 
manuf "WstDig" = 0000c0 /* Western Digital */ 
manuf "HP EON" = 0000c6 /* H-P Intlgnt Networks Oper (EON) */ 
manuf "IBM "= 10005a /* (not bit-reversed from token ring) */ 
manuf "Intrln" = 020701 /* Interlan, Inc. */ 
manuf "NSC "= 080017 /* Network System Corp. */ 
manuf "“Intrgr" = 080036 /* Intergraph */ 
manuf "Univtn" = 080049 /* Univation */ 
manuf "IBM "= 08005a /* (bit-reversed from token ring) */ 
manuf "ComDes" = 080067 /* ComDesign */ 
manuf "Xerox " = 0000aa manuf "Dove " = 0000b7 manuf "MIPS " 
manuf "Ardent" = 00007a manuf "Cayman" = 000089 manuf "TRW _ 
manuf "Cisco " = 00000c manuf "NexT " = 00000f manuf "Sytek " 
manuf "Novell" = 00001b manuf "Altos " = 0000c8 manuf "Gould " 
manuf “Acer " = 0000e2 manuf "Alantc" = 0000ef manuf "Agilis" 
manuf "Intel " = 00aa00 manuf "U-B "= 00dd00 manuf "U-B uy 
manuf "3Com " = 02608c manuf "CMC "= Q2cflf manuf "Bridge" 
manuf "ACC "= 080003 manuf "Symblx" = 080005 manuf "Apple " 
manuf "BBN "= 080008 manuf "H-P "= 080009 manuf "Nestar" 
manuf "Unisys" = 08000b manuf "AT&T " = 080010 manuf "Tktrnx" 
manuf "Exceln" = 080014 manuf "DG "= 0800la manuf "DG 5 
manuf "Apollo" = 0800le manuf "Sun "= 080020 manuf "NBI % 
manuf "CDC "= 080025 manuf "TI "= 080028 manuf "DEC 
manuf "Mtaphr" = 08002e manuf "Spider" = 080039 manuf "DCA * 
manuf "Sequnt" = 080047 manuf "Encore" = 08004c manuf "BICC " 
manuf "Ridge " = 080068 manuf "SilGrf" = 080069 manuf "AT&T " 
manuf "Exceln" = 08006e manuf "Vtalnk" = 08007c manuf "Xyplex" 
manuf "Kinetx" = 080089 manuf "Pyramd" = 08008b manuf "Xyvisn" 
manuf "Retix " = 080090 manuf "DEC "= aa0003 manuf "DECnet" 


00006b 
00002a 
000010 
0000dd 
00805c 
00dd01 
080002 
080007 
08000a 
080011 
08001b 
080022 
08002b 
080041 
08004e 
08006a 
080087 
08008d 
aa0d004 


Figure7—10. Manufacturer ID translation. 


Manufacturer IDs in the table are shown as they appear in the computer once they have 
been captured. The IEEE assignment of IDs specifies the sequence in which bits are 
transmitted on the wire. For networks that transmit each byte low-order-bit first 
(such as Ethernet, StarLAN, PC Network Broadband) the address you see after it 
has been captured is the byte-by-byte reverse of what was transmitted on the wire. 
For example, the code used by IBM, is transmitted on the network by the sequence 
00010000 00000000 01011010. It appears to a token ring analyzer as 10 00 5A, but to 
an Ethernet analyzer as 08 00 5A. See the discussion of the bit-reverse option in 
Chapter 5, page 111. 


Data Exported to Printer or to File 


The contents of the capture buffer (before or after filtering) may be sent to the 
printer attached to LPT] or toa file. If to a file, the contents may be in a printer 


| Metwor|] 
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format (with or without page titles and page numbers), or in the CSV format 
recognized by standard spread sheets. (For details of this procedure, see Chapter 5, 
Displaying and Interpreting Frames, page 134 ff.) 


The files thus produced have the extension .PRN for printer files and .CSV for 
spread sheet files. 


Format of Saved Data Files 


For some purposes of data analysis, you may want to write a program that reads 
through a file of saved frames. The easiest way to do that is probably to select the 
appropriate display filters and options, and then “print” the capture buffer to a 
file. Especially if you choose the option to omit page titles, the resulting file may 
contain the information you want in an easily-accessible format. 


Alternatively, you may need to operate directly on the trace file that the Sniffer 
analyzer writes in response to the command to save data. This section describes 
the format of a trace file. 


Each trace file consists of sequences of variable length binary records. Since all 256 
byte values are possible within the data, you can not edit this file using an ordinary 
text editor. 


The first 16 bytes of a trace file contain a text message identifying the file as one 
containing data collected by the Sniffer analyzer.1 The message is followed by an 
end-of-file character (0x1A, also called Ctrl-Z). Even if you accidentally type the 
file to the screen, or otherwise treat it as a text file, the display reaches a terminator 
before reaching unprintable characters that may be in the data. 


Structures within the Data File 


Following the text message string, the file contains an arbitrary number of 
variable-length records. Each record is has a type, identified in its first two bytes. 
The three principal types are: 


Version record 
Frame record 
End-of-file record 


The first record in the file is a version record, the last is always an end-of-file 
record, and those in between are usually (but not necessarily) frame records. 


There is no explicit encoding of the file’s total length (except as part of its directory 
entry). 


For historical reasons, the message in all such files is “TRSNIFF data”, regardless of the network on which the 
frames were collected. 


168 


(eee 


Chapter 7. The Sniffer Analyzer’s Use of Files 


Header 


Every record, of any type, begins with the following header: 


struct f_rec_struct { Standard record header. 

int type; Type of this record. (Int = 2 bytes) 
int length; Length of remainder of this record. 
int rsvd; Reserved word, currently 0. 

yi 


The header’s first field indicates what type of record follows. The three principal 
types are identified by the following values: 


#define REC_VERS 1 Version record (£_vers). 
#define REC_FRAME2 4 Frame data (f£_frame2). 
#define REC_EOF 3 End-of-file record (no data follows). 


Types other than these are reserved for future or other use. If you write a program 
to process data files, you should have it skip any record that isn’t one of these 
types. The length field indicates how much data to skip. 
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Format of a Version Record 


struct f_vers_struct { 

int maj_vers; 

int min_vers; 

struct date struct date 
char type; 

char network; 

char format; 

char timeunit; 

int rsvd[3]; 


}; 


Major version of the analyzer 

Minor version of the analyzer 

Date & time (4 bytes, DOS format) 

What type of records follow. 

An indicator of the network type. 

An indicator of the format version. 

An indicator of the frame timestamp unit. 


Reserved words. 


The possible values of type are as follows: 


#define NETWORK_TRING 
#define NETWORK_ENET 
#define NETWORK_ARCNET 
#define NETWORK_STARLAN 
#define NETWORK_PCNW 
#define NETWORK_LOCALTALK 
#define NETWORK_ZNET 


#define NETWORK_SYNCHRO 


0 Token ring 

1 Ethernet 

2 ARCNET 

3 StarLAN 

4 PC Network broadband 
5 LocalTalk 

6 Znet 


7 WAN/Synchronous 
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The possible values of timeunit are as follows: 


#define TIMEUNIT_UNSPEC 0 Unspecified; default by network type. 


#define TIMEUNIT_PC 1 0.838096 microsecond units 
#define TIMEUNIT_3COM 2  15.000000 microsecond units 
#define NETWORK_MICOM 3. 0.500000 microsecond units 
#define NETWORK_SYTEK 4 2.000000 microsecond units 


Format of a Frame Data Record 


Each record starts with a header, as described above, followed by data in the 
following structure: 


struct f_frame2_struct{ 


int time_low; Low time, network-dependent units. 

int time_mid; Mid time, network-dependent units. 

char time_high; High time, network-dependent units. 

char time_day; Time in days since start of capture. 

int size; Number of bytes actually written in this file (may 


be less than the original length of the frame). 


char fs; Frame error status bits. 
char flags; Buffer flags — for internal use. 
int true_size; If non-zero, the size of the original frame (since 


this frame has been truncated). 


int rsvd3; } Reserved; currently 0. The frame data follows. 


All multibyte arithmetic fields (computed by the Sniffer analyzer during capture) 
are stored with the least significant byte first. Frame data are stored in the byte 
order transmitted. 


Format of an End-of-file Record 


The end-of-file record has no data; it consists only of the record header. 
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Startup Parameters 


A number of parameters affect the Sniffer analyzer’s operation. Some of these 
reflect the particular platform and network interface card, and there is no point in 
changing them. Others reflect the way you use the analyzer, and may change with 
circumstances. For those parameters likely to change, there are items in the 
selection menu. The sections that follow describe how to alter software parameters 
that are not represented in the menus. 


Caution: In many cases, a change in a startup parameter must be accompanied by 
a corresponding change in the physical equipment. It doesn’t make sense to tell the 
Sniffer software that you have a color display if the external monitor is in fact 
something else. Similarly, changing the software record of parameters such as the 
network interface card’s interrupt request makes no sense unless you have also 
made appropriate changes to jumpers or dip switches on the interface card. Such 
changes are probably necessary only when you have introduced non-standard 
variations in the equipment you are using. You'd better know what you’re doing! 
Before you make changes to the Sniffer analyzer’s hardware, you are strongly 
advised to consult the Technical Support Department at Network General 
Corporation. 


How the Parameters are Passed 


Startup parameters are passed to the Sniffer analyzer as part of the statement that 
invokes the analyzer’s executable file xxSNxxxx.EXE. Ordinarily you don’t type that 
statement yourself, or even see it. The statement that launches the analyzer 
receives input from three sources. Depending on the sort of change you want, that 
gives you three places at which you might make revisions to the files. 


The command to launch a Sniffer analyzer is located inside the batch file that is 
executed whenever you select an analyzer in the main selection menu and press 
Enter. That file is SNSTART.BAT (located in the \TOOLS directory). Thus, to make a 
change that affects the operation of every analyzer available on your machine, 
modify SNSTART.BAT( in ways described below). 


The file SNSTART.BAT does not contain the startup parameters directly. It receives 
them as arguments, or by referring to DOS environment variables. For each item 
in the selection menu, there is a separate file with a name ending in .MNU. The 
various .MNU files all reside in the \CONFIG directory. Each .MNU file describes a 
single item on the screen of the selection menu. It specifies both the text you see on 
screen and the action to be taken when you select that item. An item’s .MNU file 
specifies the arguments that will be passed to SNSTART. Thus to make a change that 
is specific to a particular executable file (that is, to a single item in the main 
selection menu) you might edit its .MNU file (in ways described below). 
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For this analyzer only, insert changes here 


\CONFIG\ENSNO000.MNU 


What the menu item will say 
Text for the menu item's help line 


nppporo 


;-fake snstart EX EXsn0CCC Ethernet i:D80C-o: 


TW 


YY ¥ aves 
\TOOLS\SNSTART.BAT eeeceeeces 


"nop" 3]; 


cho The BS Sniffer is net installed 
So we can use the network's name 
in an error message... 


cond “Eder fPMQ. exe Yoor% Yscrnode® % 36 47 28 WTS 


aS Read screen parameters 


from DOS environment 


variables SCr' and aie 
For all analyzers, insert changes here 


or here 


Figure 7-11. Location of startup parameters in files;. 


Editing Startup Parameters 


The location of startup parameters in the the files SNSTART.BAT and xxSNxxxx.MNU 
are depicted graphically in Figure 7-11. You can change startup parameters in 
three ways: 


1. Modify parameters for a specific Sniffer analyzer by editing its .MNU file. This 
modification affects a single executable file. In the \CONFIG directory, locate 
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the appropriate .MNU file. In its last line, replace the characters 
"NOP" 
by one or more parameters, each enclosed in double quotes and set off from 
each other by blanks. For example, to specify a maximum of 800 names in the 
address table and a capture buffer limited to 40K bytes, replace "NOP" by 
"MAXSTNS=800" "BUF=40K" 


2. Modify parameters for all Sniffer analyzers by editing SNSTART.BAT. Locate 
the line that begins with sload (the scatter loader that loads the executable file 
into memory and then starts its execution). Append your parameters at the end 
of the line, following %9. Put double quotes around each (as described in the 
preceding paragraph). 


In the line that begins with SLOAD, the entries %5 through %9 are there to pass 
any additional parameters that may have been inserted in .MNU files. Don’t 
delete them unless you're absolutely certain that none of your .MNU files has 
been modified to include additional parameters. 


3. Set screen parameters by setting DOS environment variables. You can use 
DOS environment variables to set values for SCR (which specifies the type of 
monitor) or SCRMODE (which controls the way the scrolling is shown as you 
move from one menu panel to another). At the DOS prompt, type SET SCR= or 
SET SCRMODE= followed by one of the possible values (listed in Figure 7-12, 
page 175). 


Cautions: (a) The environment variables are lost when you reset the machine or turn off 


power. To have them automatically regenerated at each power up, insert a 
statement in \AUTOEXEC.BAT. 

(b) Choosing any of the screen options in the main selection menu also sets the 
environment variable SCR (and therefore overwrites any earlier setting of SCR). 


Position and Duplication of Parameters 


The first four parameters passed to SNSTART.BAT are interpreted by position. That 
is, the first must be a two-letter network abbreviation, the second must be the name 
of the executable file, the third must be the name of the network, and the fourth 
must be a memory specification for FIXEMM. After the first four, there is no 
required order for the others. 


The Sniffer analyzer program receives its parameters as specified by the line in 
SNSTART.BAT that begins with SLOAD. It scans the parameters in order from left to 
right. If you supply duplicate or contradictory parameters, a later one (that is, one 
further to the right) overrides an earlier one. 


The way SNSTART.BAT is written (see Figure 7-11), the first parameter passed to 
the analyzer is the value of the DOS environment variable SCR, followed by the 
value of SCRMODE, followed by up to five parameters that may have been 
substituted for "NOP" in the .MNU file. If you edited SNSTART.BAT by appending 
more parameters at the end of the line, being further to the right they are evaluated 
later, and can overwrite those to the left. 
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Listing of Startup Parameters 


The settable parameters are listed in Figure 7-12. Parameters concerning the use of 
extended memory are listed in Figure 7-13. Parameters concerning the interface 


card are listed in Figure 7-14 and in more detail in Figure 7-15. 


Topic Parameters 
Screen display attributes (DOS environment variable SCR). MONO 

To optimize attributes in the Sniffer analyzer’s display COLOR / COLOUR 
screens, the analyzer selects color or shading attributes to GRAY/ GREY 
match the capabilities of various devices. GRAY is intended LCD 

for Compaq monochrome gray scale. LCD is for liquid crystal Gree ~ 
displays with black characters on a clear background, and 

LCDR for the reverse. 

Scrolling during panel-to-panel movement (DOS NOSCROLL 
environment variable SCRMODE). On a local screen, during 

transition to a new panel the analyzer redraws the screen in 

stages to convey the effect of motion. When you control the 

analyzer from a remote station it may be preferable to 

eliminate the transition display to save time. 

Typeahead. By default, the analyzer does not accept new | TYPEAHEAD 
keystrokes during display. You may permit typeahead up to 

the limit of the DOS input buffer (15 characters). 

Buffer size limit. Ordinarily, the analyzer allocates all BUF=nnnK 


available memory for the capture buffer and reports an error 
when it finds less than 50K. You may set the size explicitly, 
but not to less than 10K. 


Maximum number of stations in the name table. You can 
reserve space for the working name table, making it either 
smaller or larger than its default capacity of 500 station 
addresses. 


MAXSTNS=nnn 


Number of rows or columns in the display screen. The ROWS=nnn 
analyzer automatically detects the size of the display. These | COLS=nnn 
parameters permit you to declare some other size. 

CGA flicker adjustment. Some early CGA monitors flicker WAIT 
unless access to the screen is confined to retrace. To force the | NOWAIT 


display drivers to wait until retrace, elect WAIT; the 
analyzer’s default is NOWAIT. 


Figure 7-12. Startup parameters affecting the context of use. 
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Topic 


Parameters 


Extended memory allocation. The parameters I= and E= 
affect not the Sniffer analyzer itself but the extended 
memory manager. Within SNSTART.BAT, the line that begins 
FIXEMM contains two uses of I=. These are followed by a 
reference to %4, which passes a use of I= or E= from the 
.MNU file that invoked SNSTART. 


The parameter I= or E= is followed by a pair of hexadecimal 
addresses specifying the beginning and end (inclusive) of a 
block of extended memory to be included (I) or excluded (E) 
from the memory made available to the Sniffer analyzer. 
The starting address must be on a 16K boundary and at least 
A0000; each is written in 16-byte units, so that (for example) 
the address C8FFO appears simply as C8FF (without the 
trailing 0, or a final H). 


l=hhhh-hhhh 
E=hhhh-hhhh 


Restrict the Sniffer analyzer’s use of extended memory. In 
general, the Sniffer analyzer allocates to itself as much 
memory as it can. The startup parameter REL= causes it to 
release memory to DOS, forcing a reduction in the total to 
the analyzer, visible primarily as a reduction in the capture 
buffer. The argument is written in hexadecimal as kilobytes, 
with the letter K included. 


REL=unnK 


Figure 7-13. Startup parameters affecting extended memory. 
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Topic Parameters 


Report the Network Interface Card's Interrupt Level. The ! IRQ=n 
parameter IRQ= informs the Sniffer software which interrupt 
line the network interface card is using. 


Report the Network Interface Card’s I/O Addresses. The IOBASE=hhhh 
parameter IOBASE= reports the start of I/O memory. The 
argument must be written as four hexadecimal digits, 
without a following H. 


Report the Network Interface Card’s RAM Addresses. The RAMBASE=hhhh 
parameter RAMBASE= reports the start of addressable RAM. 
The argument must be written as four hexadecimal digits, 
without a following H. 


Report the Network Interface Card’s DMA Channel. The DMA=n 
parameter DMA= reports the number assigned to the NIC’s 
direct memory access channel. The argument is a one or two- 
digit decimal number. 


Important: These parameters do not set characteristics of the network card; they simply 
report to the Sniffer software a description of the NIC’s characteristics. In most cases, those 
characteristics are controlled or modified by setting DIP switches or jumpers on the card. 


Figure 7-14. Startup parameters reporting configuration of the network interface card. 
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Network Sniffer | IRQ DMA | IOBase! | RAM Base ROM base 
(NIC ) series 
ARCNET 300 3; n/a n/a c800h n/a 
DataPoint 500 4-7, 9-12, 0-fc00h 
Rim III 14, 15 (16K bytes) 
Ethernet 300 11; 6; 300-30fh; | n/a | n/a 
3Com 500 3-7, 9-12, | 5,7 0-3f0h 
EtherLink Plus 14,15 (16 ports) 
LocalTalk 500 2; 1; 398h n/a n/a 
TOPS 3 3 310h, 

390h 

(4 ports) 
PC Network 500 2; 3 360h; n/a n/a 
Sytek 6120 3 368h 

(8 ports) 
StarLAN | 300 3; 1 100h; n/a n/a 
Data General 500 2, 4-7 300h 

(16 ports) 
Token Ring 16/4 | 300 3; n/a a20h; dc00h; d800h; 
(AT bus) 500 2, 6,7 a24h c000—dc00h c000-de00h 
IBM (4ports) | (16K bytes on | (8K bytes on 

16K boundary) | 8K boundary) 
Token Ring 16/4 | 700 3; n/a a20; dc00h; d800h; 
(MCA) 2, 10, 11 a24h c000—dc00h c000—de00h 
IBM (4 ports) | (16K bytes on | (8K bytes on 
16K boundary) | 8K boundary) 

WAN/ 500 | 3; 1 and 3 | 200h; n/a n/a 
Synchronous 4-7 (uses 300h 
PCI both) 


Entry in bold is the default value with which the Sniffer analyzer is shipped. Other entries are 
potentially valid alternatives, provided they do not conflict with other software or hardware. 


Figure 7-15. Default and alternate values of NIC parameters. 


1 Be aware that many PCs decode only the low-order 10-bits of an I/O address, and therefore treat all address 
modulo 1024 (400H ). On such a machine, I/O addresses such as 300H, 700H, BOOH or FOOH may look different but in 
fact refer to the same address. 


notify the analyzer of its address. 


The ROM base address is set directly on the token ring network interface card; no parameter is used or required to 
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Chapter 8. The Configuration Utility 


Chapter Overview 


The Configuration Utility permits you to build a new version of the Sniffer 
analyzer’s software. It creates a new Sniffer analyzer program, and places it in the 
selection menu. This permits you to create an analyzer that contains just the 
protocol interpreter suites you specify. This is useful when it is impossible or 
inconvenient to use all your Pls in a single executable file. 


The Configuration Utility also permits you to delete exisiting interpreter software. 
It automatically removes deleted items from the selection menu. 


Need for a Subset of Interpreters 


When would you need a subset of your PIs? Only when the protocol interpreter 
suites you've ordered take up so much of the computer's available memory that 
that they can’t all run at once. 


If you have the configuration utility, it automatically appears in the selection menu 
at startup. You have the configuration utility if: 


* The protocol interpreters you ordered —if all installed at once— would require 
more memory than is available on the platform you ordered. 


or 


* You ordered all protocol interpreter suites. 


If you don’t see configuration utility in your selection menu, this chapter doesn’t 
apply to you and you can skip it. 
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tm 
The Sniffer Network Analyzer 
Main selection menu 


Ethernet Analyzer Internal display 
Ethernet Analyzer External color monitor 
Ethernet Analyzer External LCD projector 
Token Ring 16/4 Analyzer Return to DOS 

Token Ring 16/4 Analyzer System shutdown 

Token Ring 16/4 Analyzer 

TeleSniffer 


Configuration Utility 


Go to configuration utility menu. 


Use arrow keys to select, then press Enter. 


Figure 8-1. Configuration utility in the selection menu. 


Several Executables for the Same Network 


When you order more PIs than can fit into a single executable file on your 
platform, Network General automatically provides you two or more versions of 
the Sniffer software for the same network. Each version has some subset of your 
interpreter suites. Between them, the two versions include all the protocol suites 
you ordered. Usually there’s considerable overlap. 


Looking at the selection menu, you see multiple entries for the same network. For 
example, you may see Ethernet analyzer twice. To see which protocol interpreter 

suites are in each Ethernet analyzer, move the highlight. When the highlight is on 

one of the analyzer entries, the detail panel (in the lower part of the screen) shows 
a list of that analyzer’s protocol interpreter suites (see Figure 8-2). 
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ini 
The Sniffer Network Analyzer 
~Main selection menu 


Ethernet Analyzer 
Ethernet Analyzer 
Ethernet Analyzer 
Token-Ring 16/4 Analyzer 
Token-Ring 16/4 Analyzer 
Token-Ring 16/4 Analyzer 
TeleSniffer ; 
Configuration Utility 


Internal display 
External color monitor 
External LCD projector 
Return to DOS 

System shutdown 


Suites: DECnet, XWindows 


Use arrow keys to select, then press Enter. 


Figure 8-2. Interpreter suites are listed for the highlighted analyzer. 


You need the configuration utility only to build a version of the Sniffer software 
with a different combination of protocol interpreter suites. For example, suppose 
you order a PA-302 Ethernet analyzer with TCP/IP, Sun, ISO, DECnet and X 
Windows. Since those won’t all fit at once in the Series 300, Network General splits 
them. You receive two executables. Each appears in the selection menu as Ethernet 
Analyzer. (If you were to look at the actual names of the files, you'd see that 
internally the files have different names; each name encodes the protocol suites the 
file contains.) 


As delivered by Network General As you configure yourself 
Ethernet analyzer Ethernet analyzer Ethernet analyzer 
[file ENSN3GG0.EXE] [file ENSNO8G0.EXE] [file ENSN28G0.EXE] 
1304 TCP/IP 1307 DECnet 1304 TCP/IP 
1305 Sun 1311 X Windows 1307 DECnet 
1306 ISO 1311 X Windows 
1311 X Windows 


Figure 8-3. Possible subsets of a set of protocol suites. 


Suppose you would find it more convenient to have an analyzer that contains X 


Windows, DECnet, and TCP/IP. That’s when you need the configuration utility. 
When you tell the configuration utility what protocols you want to include, it 
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generates a new executable file.! Like the others, the new executable appears in the 
selection menu as Ethernet analyzer. The menu displays the list of its protocols 
when you highlight its name. 


Compiler for the Configuration Utility 


If your analyzer has the configuration utility, it also has a copy of the Microsoft 
Quick C Compiler. It resides in the optional sub-directory QC2 within the TOOLS 
directory. You don’t have to run the compiler yourself; the configuration utility 
does that automatically. 


Running the Configuration Utility 


To run the configuration utility, go to the Sniffer analyzer’s selection menu. Scroll 
until the highlight is on configuration utility; it’s the last item on the left side. If 
the menu already has several lines devoted to analyzers, the item you want may at 
first be out of sight, below the lower edge of the panel. If so, use the cursor keys to 
scroll down to it. With the highlight on configuration utility, press Enter. 


When the configuration utility starts, you see a screen like the one in Figure 8-4. 
The center panel has the three options: build, delete, or exit. 


The Sniffer Network and Protocol Reference includes a chapter describing how to build a custom interpreter. When you 
follow its instruction, you compile your new interpreter and link it into the main Sniffer program. When the process 
is complete, you will have built a version of the Sniffer analyzer that contains your new PI together with some or all 
of the PIs you purchased. The Configuration Utility does the same thing, but automates the process for the protocol 
interpreter suites supplied by Network General. 
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fpMENUS 
Network 
General 
Sniffer (tm) ARCNET 
Network Analyzer Ethernet 
Configuration Delete Sniffer PC-Network-F1 
Utility Exit ¢< StarLAN 
Token-Ring 
Version 1.00 
(C) Copyright 
1986 - 1990 


Create a new Sniffer Network Analyzer 
for a selected network and protocol interpreters. 
Use the arrow keys to move, or ENTER to do this function 


Figure 8-4. Main menu of the configuration utility. 


When the highlight is on delete, the panel to the right contains a list of the various 
Sniffer analyzers now on your machine. (It’s the same as the list of analyzers that 
appears in the selection menu.) 


When the highlight is on build, the panel to the right contains a list of all the 
networks for which you could build a Sniffer analyzer. 


Selecting a Network 


You can build a Sniffer analyzer for any of the network interface cards supplied 
with your Sniffer analyzer. (Figure 8-4 shows more networks than you're likely to 
have ina single analyzer.) The card doesn’t have to be physically in place during 
build, but must be there when you're running the software for its network. When 
your analyzer is equipped for one network only, the list of networks has only one 
item. 


When you have more than one interface card, the menu has an item for each. 
Initially, the arrow of the radio control is at the top of the list. To move the 
arrowhead to the network you want, highlight it and press space bar. 


Selecting Protocol Interpreter Suites 


When you highlight a network in the center panel, the right panel shows a list of 
protocol interpreter suites (Figure 8-5). The list shows the protocol interpreter 
suites you've actually purchased, so your list may not include some of the PIs 
shown in Figure 8-5. To show which interpreter suites to include, put a check 
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mark V beside each you want, a X¥ beside each you don’t. Initially, they’re all 
checked. By moving the highlight to an item and pressing Spacebar, you reverse 
the V (selected) to X (not selected). 


v IBM 
J Novell 
J XNS/NSNET 


Build Sniffer ee al / TCP/IP 
Delete Sniffer ¢ | foken-Ring v SUN 

Exit ¢ ISO 

/ DECnet 

/ Banyan 

/ AppleTalk 
/ XWindows 


Should the new Sniffer software run on Ethernet? 


Press space to select this option 


Figure 8-5. List of available protocol suites. 


How Many Suites Will Fit? 


The various protocol interpreter suites differ in size. Moreover, the space required 
for a particular combination is not the sum of their separate parts. As a rule of 
thumb, don’t put more Pls in a file than you find in the executables that Network 
General supplies for your machine. But to be sure, you'll need to experiment. Even 
when the compilation runs successfully, the resulting executable may still be too 
large to execute. After you've built a new executable file, try it to make sure. If it it 
is too big, you'll get an explanatory message as soon as you start it. 


Starting to Build 


Once you've selected the network and the protocol suites, move the highlight back 
to build Sniffer and press Enter. The configuration utility repeats a description of 
the Sniffer analyzer you propose to build and asks you to confirm. (If you ask for 
one that already exists, it points out that your proposed analyzer will replace an 
existing one, and asks you to confirm.) 


Once you confirm your choice, the utility puts up at screen headed BUILD 
PROGRESS and marks the progress through four stages: 
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Building the configuration file 
Compiling 
Linking 
Post-link processing 
If the utility encounters an error during the process, you'll see a summary error 


message. This message may tell you where the configuration utility has written a 
more detailed error report. 


Completion 


When the build reaches a successful completion, the configuration utility displays 
a confirming message. You're ready to exit—or to build another if you want. When 
you exit from the configuration utility, you are returned to the selection menu. 
The Sniffer analyzer that you just built has now been added to the menu. It’s ready 
to run in the same way as the other analyzers already installed. 
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9. Troubleshooting Checklist 


Chapter Overview 


This chapter lists some simple problems and their remedies, in the hope of saving 
you vexation —or the need to call for help 


Please Check First 


When you suspect a problem with the Sniffer network analyzer’s equipment or 
software, before contacting us, please look through the check list that follows. 
Many times we find that correcting a simple oversight can save you (and us) lots of 
time. 


But if that doesn’t solve your problem, do please call. Support hours are 7 am to 5 
pm Pacific time, weekdays. 


hone for rk General’ 
| mcpenemecornls | (418) 688-2700 | 
| FAX: (415) 321-0855 | 


Please Fill In 


Serial number of your 
Sniffer Network Analyzer 


There is nothing on the |1. Check the power cable and power source. 
screen 


— 
ay 


Check the power switch. 


Make sure the monitor's controls for brightness and 
contrast are set so the display is visible. 


The Sniffer analyzer 1. Make sure there is no diskette in the floppy drive 
ll program does not start. when you start the Sniffer analyzer. (This may 
(It should present the produce the message Non-system disk or disk 


selection menu.) error.) 

2. Double check any modifications you might have 

| made to the startup file \AUTOEXEC.BAT on the hard 
disk. 
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You cannot capture data 
from the network 


1. 


Make sure that the capture submenu says from 
Ethernet (or token ring, LocalTalk, StarLAN, 
ARCNET, WAN/synchronous or PC Network, etc., 
as the case may be). 


...and you are using 
ARCNET 


Check the connection from the BNC connector on 
the Sniffer analyzer's ARCNET adapter to the RG-62 
cable from the ARCNET hub unit. 


Check the network hub unit, using the instructions 
provided by its manufacturer. The hub may include 
a light indicating when it is receiving a signal (from 
the station to which it is connected, in this case the 
Sniffer analyzer). Try generating traffic from the 
Sniffer analyzer to see if it lights up. 


...and you are using 
Ethernet 


Check the connection from the DB-15 or BNC 
connector on the Sniffer analyzer’s Ethernet adapter 
to the Ethernet cable. 


Check the connection from the Ethernet cable to the 
transceiver. 


Check the transceiver, using the instructions 
provided by its manufacturer. The transceiver may 
include a light indicating when it is receiving a 
signal (from the station to which it is connected, in 
this case the Sniffer analyzer). Try connecting a 
different station to the same transceiver or the 
Sniffer analyzer to a different transceiver. 


...and you are using 
StarLAN 


Check the connection from the RJ-45 connector on 
the Sniffer analyzer's StarLAN adapter to the 
StarLAN cable. 


Check the connection from the StarLAN cable to the 
network hub unit. 


Check the network hub unit, using the instructions 
provided by its manufacturer. The hub may include 
a light indicating when it is receiving a signal (from 
the station to which it is connected, in this case the 
Sniffer analyzer). Try generating traffic from the 
Sniffer analyzer to see if it lights up. 
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...and you are using 1. The message lobe media test failed probably means 
token ring that the token ring cable is not attached. Make sure 
it is plugged into the DB-9 connector for token ring 
and not the DB-9 connector for video. 
2. Make sure you have selected the appropriate speed 
(4 Mbps or 16 Mbps) in the options menu. 
3. The message lobe wire fault probably means the 
cable is not connected to a Multistation Access Unit 
(MAU). 
4. If connecting to a 3COM token ring system, you 
must use a standard IBM Multistation Access Unit 
(MAU) port, and NOT the 3COM Ring-Tap unit. 
...and you are usinga | 1, Check the 3-way connection between the Sniffer 
WAN/synchronous link analyzer, DTE and DCE. Since two of the three 
connectors are physically identical, it’s important to 
check the labels to verify that the cable is correctly 
connected. 
Le L 
There is no output on the | 1. Check that the monitor is working and adjusted 
ll (F external color monitor properly. 
...and you have a series 2 Make sure you select external color monitor in the 
300 or a series 500 Sniffer selection menu when you start the Sniffer analyzer. 
analyzer | 
... and your series 300 or | 3. Make sure your monitor is attached to the DB-9 
500 analyzer has a token connector marked “Video” and not to the DB-9 
ring interface card connector marked “token ring.” 
...and you havea series | 4, The analyzer detects the monitor automatically 
700 Sniffer analyzer provided that the monitor is already connected when 
you turn the analyzer on. (On the series 7001, there 
isn’t a menu item for an external monitor.) When 
you attach a monitor: (a) Turn off the analyzer. 
(b) Connect the monitor to the analyzer’s VGA port. 
(c) Turn on the analyzer 
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You get the warning “A 
full size capture buffer 
cannot be allocated” 


1 


Don’t worry. You can still collect data even if the 
Sniffer analyzer doesn't have room to allocate a 
maximum-sized buffer. The message explains how 
large a buffer has been allocated. 


Remove optional memory-resident programs that 
you may have installed (for example, ProKey or 
Sidekick). They consume both memory space and 
time. 


If you are unable to free sufficient space because you 
are keeping a large number of protocol interpreters 
active at the same time, you may wish to rebuild the 
Sniffer analyzer software so as to minimize the space 
consumed by PIs. See Chapter 8, Configuration 
Utility. 


You don’t see traffic that 
you expect 


Check the station, protocol, and pattern-match 
capture filters to see whether traffic is being 
discarded. If the “frames seen” count is larger than 
the “frames accepted” count, then frames are being 
discarded. 


...and you are using 
token ring 


Check that the ring speed (16 or 4 Mbps) is set 
correctly in the options menu. 


Check that you are not the only station inserted on 
the ring. 


If there are multiple MAUs, check that they are 
cabled together properly. 


...and you are using a 
WAN/synchronous link 


Check that frame type is set correctly in the options 
menu. 


Check that encoding is set correctly in the options 
menu. 
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A pattern-match filter or 
trigger doesn’t seem to 
work 


i— 


— 


Check the protocol and station-address filters; they 
may be causing the frames of interest to be 
discarded. 


Double check the offset; detection of a pattern 
depends on telling the Sniffer network analyzer both 
what to look for and where to look. 


frames sent on token ring 


...and you are looking at | 3- 


Check the offset origin: is it frame-relative (starting 
with the first frame byte) or data-relative (starting 
with the first LLC byte)? 


If you get the message 
“No frames selected for 
display” 


SI 


oy OV oe eR 


Check the address level display filter, or 
Check the destination class display filter, or 
Check the station address display filter, or 
Check the protocol display filter, or 

Check the pattern-match display filter. 


Make sure that the display and capture filters are not 
mutually exclusive. | 


rn You don’t see frames that Check the display filters. 
you expect 2. Check the capture filters, since they may have 
caused the frames to be discarded. 
Traffic counts during 1. Check that you have selected the appropriate units 


capture show implausible 
numbers 


Itt 


(frames or kilobytes) in the capture menu. 


A “from” or “to” filter 1, 
ll ff isn't working 
2. 


Check the setting of the reverse direction option in 
the filter menu. 


Check the settings of other filters involved in capture 
or display; what you see displayed is what passes 
through all the filters. 


Check that an earlier address filter doesn’t already 
accept or discard the frames in question. Recall that 
filters are examined in sequence 
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Network utilization seems 
too low 


Check the display filters. Remember that only 
displayed frames are used in the network utilization 
calculation. Sometimes lower-level protocols that 
are not displayed carry much of the actual data. 


Do some reasonableness checks based on the frame 
sizes. The utilization might indeed be correct! 


Itt 


You are not seeing 
symbolic station names 


Check the address level filters to include addressing 
at the level you want. 


Use manage names to examine and add to the 
names list. 


Remember to save names to make a permanent 
record of any changes. 


Make sure the file STARTUP.xxD is in the analyzer’s 
current directory (normally, \CAPTURE) 


HELP information is not 
available 


Make sure the file xxSNIFF.HLP is in the default 
directory. 


Make sure the various help files are in a sub- 
directory called HELP within the same directory as 
XxXSNIFF.HLP. 


-— 
lata 


You aren't getting any 
print output 


Check the printer itself (power, switch settings, etc.). 


Check that you have selected LPT1 or COMI (as 
appropriate) rather than file for the printer 
destination. 


For serial printers, make sure that the transmit and 
receive pins are wired correctly. For some printers 
you may need a null modem cable. 


For serial printers, make sure that you have issued 
the appropriate MODE command to set the baud rate 
word size, parity, etc. 


J 


Check the cable to the printer. For serial printers, 
make sure you are connecting to the appropriate 
port. The printer cable needs a female connector, 
DB-9 for the series 300 or 500, DB-25 for the 700. The 
series 300 has two serial ports, so be sure you have 
connected appropriately. 
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i You aren't getting all the | 1. Check the from frame and to frame options in the 


print output you expect print menu. Do you have frame nnn selected instead 
of first frame or last frame? 


2. Check the display filters; they affect what is printed. 
Remember that to print the entire detail report you 
must select all protocol levels and turn off highest 


level only. 
You cannot save the 1. Inthe save data dialog box, rewrite the name of the 
capture buffer to a file target file so that it starts with the drive letter A:, 
because your hard disk is and write the file to a floppy disk. 
full 2. Move temporarily to the delete files menu and 


delete an unwanted file. Then return to save data 
and repeat your request. 


You have found a problem 1. Try to recreate the problem after saving a trace file 
with the Sniffer network (perhaps filtered) and the setups to a floppy diskette. 
analyzer software Then: 


_ 
ata 


* Start the Sniffer analyzer. 
* Load the trace file. 
¢ Load the setups. 


* Recreate the problem. 


If it is a display error, “print” the relevant part of the 
display to a diskette file. 


If you can reconstruct the problem in this fashion, 
please send the diskette to the Network General 
Corporation Technical Support Department. Be sure to 
include your system serial number and the software 
version number (displayed in the initialization screen.) 
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300 Series 
external trigger 58 


interface card parameters 
178 


500 Series 
external trigger 58 
interface card parameters 
178 
modular system 10 


700 Series 
external trigger 58 
interface card parameters 
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3Com 
EtherLink Plus interface 
card 178 
manufacturer code 167 


3Com+ 
trigger example 61 


absolute time 107, 109 

AC byte in DLC header 90 
ACC, manufacturer code 167 
Acer, manufacturer code 167 
ACK, protocol filter 49 


active 
call in LCN table 72 
panel 103 
skyline 74 
token ring monitor 13 
zoom panel 126 


adapter— see network 
interface card 


address 
6-byte DLC 113 
additional name table 162 
automatic scan captured 
frames 101 
bit reversal on PC network 
114, 167 
bits on wire vs. bits in 
memory 40, 113, 167 
broadcast 47 
capture filter 8, 35, 43 
count 66, 68, 71 
DECnet format 113 
dialog box to select 45, 101 
DLC 
capture filter 43 
format 113 
manufacturer's ID 105 
vs. higher level 98 
DRP format 113 
edit name table 101 
filter 42, 44, 98, 99 


any station 44 
apparently not working 
195 


example 45 

fewer than four matches 
44 

joint effect of several 44 

procedure 99 

select station by name 
100 


format 45, 104, 112, 113 
functional 47 
generated frame 85 
generic 47 
hexadecimal 45 
higher level 105, 139 
display format 112 
IEEE 
manufacturer’s codes 113 
standard for bit order 
114, 167 
IP format 113 
LCN 72 
level— see separate entry 
for address level 
match 59 
name assignment 101 
name during capture 36 
name during display 104 
octal 45, 105 
one name for multiple 
ARCNET addresses 165 
one-byte 69, 104 
pair counts 38, 62 
saved setup 145 
source count 69 
source vs. source-and- 
destination count 38 
specific vs. generic 35, 47 
spurious 67 
station 86, 136 
symbolic name 6, 136 
type 136, 139 
unique in name table 140 
unknown 8, 35, 42 
unnamed in name table 37 
VCS format 113 
width of field 105 
XNS format 113 


address level 105 


blank names limit in name 
table 137 
effect on name table 138, 


effect on scan for names 
141 
failure to display names 


filter 98 


name table 100 
summary view 99 


address recognized 
token ring frame 120 


addrtype 
name table field 163 


Agilis, manufacturer code 167 


Alantec, manufacturer code 
167 


alias, one name for several 
stations 165 


alignment error 
filter 36, 42, 56, 98, 102 
flag 108 
alphabetization, name table 
165 


Alt-Spacebar to reverse all 
selections 29, 49, 102 


Alt-X, don’t care character in 
pattern match 52 


Altos, manufacturer code 167 


Ameristar Technology, 
manufacturer code 167 
analysis 
vs. capture 34 
vs. monitoring 3 


analyzer present, token ring 
beacon 13 


any station> 
address filter 44, 100 


Apollo, manufacturer code 


Apple, manufacturer code 
167 


AppleTalk 
format of DDP address 113 
level in name table 101 


application layer, OSI model 
121 


AR, network abbreviation in 
file name 155 


ARC, extension for file of 
captured frames 155, 159 


ARCNET 
address format 113, 164 
broadcast address 47 
length encoding 123 
matrix of traffic by sources 
69 
network code 
protocol filter 48 
network interface card 178 
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one name for multiple 
addresses 165 
one-byte address 104 
probe 70 
caution 71 
total of reconfigures 63 
trigger example 61 


ARD, extension for file of 
station names 141, 155 


Ardent, manufacturer code 
167 


ARI, extension for file of 
manufacturer IDs 155, 166 


arithmetic fields 
byte order 171 


ARP, protocol filter 49 


arrival time, field in trace file 
171 


arrow key— see “cursor 
keys” 
ARS, extension for file of 


setup specifications 144, 
155, 161 


ARSNIFF, directory 158 


ASCII 
hex view 122, 123 
search for text 129 


transliteration in hex view 
122 


ASN.1, ISO protocol 
interpretation 118 


AT&T, manufacturer code 
167 


audible clicks 34, 39 


AUTOEXEC.BAT 
file to start Sniffer analyzer 
156, 159 
interaction with DOS 
environment variables 
174 
Sniffer analyzer fails to 
start 191 
automatic character 
transliteration 123 
B, suffix in extension of 
binary file 155 
backspace, example in 
pattern match 54 
bad alignment 
filter 98, 102 
flag 108 


bad CRC 
filter 98 
bandwidth, network 
utilization estimate 109 
bar graph 
linear vs. log scale 37, 65 


traffic density 15, 64 
units 62, 65 


BAT, file extension for batch 
DOS commands 154 


batch file 
AUTOEXEC.BAT 156, 159, 
174, 191 
SNSTART 158, 172 


BBN, manufacturer code 167 


beacon, token ring 
fragmented 39 


BICC, manufacturer code 167 
binary 
data for pattern match 52 
field interpretation 117 


bit reversal 
PC Network representation 
of token ring addresses 
114, 167 
bit-level interpretation 117 
blank screen 191 
BNC connector 
ARCNET 192 
Ethernet 192 
bridge 
monitoring two sides 59 
source routing information 


Bridge, manufacturer code 
167 


brightness control 191 
broadcast 
filter 35, 42, 45, 47, 98 
station address 47, 138 
BUF=nnnk, startup 
parameter 175 
buffer 
flag in trace file 171 
typeahead 175 
bug in Sniffer software 197 


build, configuration utility 
command 184 


byte order, numeric field in 
trace file 171 


bytes 73, 107 
cumulative 108 
display of count of traffic 
seen 63 
measure of traffic volume 


number in frame 109 
summary view 109 
units 65 


bytes written, field in trace 
file 171 


C compiler, configuration 
utility 184 


C, suffix in extension of trace 
file 143, 155 


cable fault, token ring 14 


cable test 
Ethernet 38 
fault diagnosis 81 
menu option 79 
summary view 104 


call 

accepted, X.25 type 72 

active vs. completed in 
LCN table 72 

name for source or 
destination 73 

number count during 
capture 38, 72 

request, X.25 type 72 


capture 
continuous 60 
count X.25 or SNA 71 
counters vs. skyline display 


default setup 34 

discard previous buffer 41 

display alternatives 65 

DLC address in filter 43 

effect of display menu 36 

from file of saved frames 
34, 41, 136 

general description 33 

halt when buffer full 36 

highspeed mode 15, 38, 65, 
66 


introduction 7 
live vs. playback from file 

14, 37, 62, 66, 95 
menu options 61 
monitor during 33 
monitoring vs. non-capture 

monitoring 33 
names in display 36 
options for stopping 59 
pause 41 
preparations 33 
saved setup 41, 145 
skyline display 34, 73 
skyline scale adjustment 74 
start 38, 67, 127 
steps required 34 
stop 41 

amount following trigger 
36 
when buffer full 60 

tabulation 38 
time required for filters 43 
traffic density display 15 
traffic density units 62 
trigger to halt 36 
types of filters 42 
unable to start 192 
vs. analysis 34 
vs. display 3 
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WAN/synchronous 
example 72 


capture buffer 14 

automatic scan for 
addresses 101 

capacity 16 

chime when full 64 

discard at new capture 41 

display frames 18, 96 

filled during capture 17, 34, 
36 


load with file of saved 
frames 142 

not in saved setup 145 

overflow 60 

percent full report 64 

position of trigger frame 59 

report on frames 131, 167 

report size 61 

role 95 

save to file 18, 41, 142, 143, 
158 

file format 168 

startup parameter to limit 
size 175 

temporary storage of 
accepted frames 34 

unable to allocate full size 
194 


capture filter 8, 14, 34, 35, 41 
defective frames 67 
failure to work 195 
menu option 41 
pattern match 50 
pattern match example 54 
protocol 48 
saved setup 145 


CAPTURE, directory 158, 
159, 162 

captured frames file 

identifying extension 155 

CAPTURING (message) 61 

case in search for text 128 

Cayman, manufacturer code 
167 

CDC, manufacturer code 167 

CEG, file name extension for 


analyzer configuration 
154, 157 


CGA snow correction 
startup parameter 175 


change path 158 


character 
data for pattern match 52 
translation in hex view 122 
transliteration of ASCII or 
EBCDIC 122, 123 


Cheapernet, propagation 
speed 80 


chime 
to report buffer full 64 
to report trigger 64 


CIMlinc, manufacturer code 
167 


cisco, manufacturer code 167 


clear 
name table 140 
request, X.25 type 72 
to send signal 58 


click, audible 34, 39 
CMC, manufacturer code 167 


collision 
during traffic generation 13 
effect on cable test 81 
fragment, filter 102 
fragment, flag 108 

color 
monitor 121 
representation of OSI 

layers 121 

startup parameter 175 


COLS=nnn, startup 
parameter 175 


COM1 132 
external trigger 36, 57, 58 
printer 196 


ComDesign, manufacturer 
code 167 


command-line parameters 
Sniffer analyzer 172 


comment in name table 163 

Compaq, Sniffer modular 
system 10 

compile, stage in 
configuration utility 186 

compiler for configuration 
utility 184 

completed, call LCN table 72 

CONFIG, directory 157 

CONFIG.SYS, file 156 


configuration file 
describes network interface 
for configuration menu 
157 


configuration utility 10, 181 
build new Sniffer file 186 
compiler 184 
generates Sniffer menu 

items 157 
selection menu 184 
selection of protocol suites 
185 
when needed 181 
connector 


BNC ARCNET 192 
DB-15 Ethernet 192 


DB-9 printer 196 

DB-9 serial port 58 

DB-9 token ring 193 

DB-9 video or token ring 
193 


contrast, monitor 191 


counter 
bytes 15 
display during capture 37, 
65 


frames 15, 62 
format 66 
frames seen 15 
kilobytes 15, 62 
source address 62 
suppressed during 
highspeed capture 65, 
66 


traffic 34 


CRC error 
filter 36, 42, 56, 98, 102 
flag 108 


create directory 158 


CSV 

comma separated values 
file 133, 134 

comparison of file and 
screen output 135 

effect on detail or hex 
views 135 

file extension for formatted 
data 154 


CTS 
external trigger 57, 58 
protocol filter 49 
synchronous line status 
indicator 64, 72 


cumulative bytes 107, 108 
summary view 109 


cursor keys 12 
horizontal scrolling 127 
next line or frame 127 
scrolling 37 
to pass from display to 
pattern entry 54 
to scroll LCN table 72 


“cut and paste” 
pattern and offset 125 


D, suffix in extension of name 
file 137, 155, 159 


data 
file name 159 
generated frame content 85 
load 41, 142 
rate 15 
sample files xvi 


Data General 
manufacturer code 167 
network interface card 178 
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data-relative offset 53, 195 


Datapoint 
Rim III interface card 178 
system code 71 


dataset ready signal 58 
date format in trace file 170 


days since start, field in trace 
file 171 


DB-9 connector 
printer 196 
serial port 58 
token ring vs. video 193 


DCA, manufacturer code 167 


DCE 
count during capture 38, 
71, 72 
filter 35, 42 
frame count 62 
tabulation in skyline 73 


DDP 
address format 113 
protocol filter 49 


DEC, manufacturer code 167 


DECnet 
address format 113 
interpreter suite in 
configuration utility 
example 183 
manufacturer code 167 
default 
capture 34 
directory 162 
setup restored 161 
DEFAULT.xxS, file 162 


defective frame 
filter 35, 56, 67, 98, 102 
overlapping categories 56 
total seen 63 
delay, traffic generator 87 
delete 
configuration utility 
command 184 
data file 144, 197 
example in pattern match 
54 


delimiter, CSV format 133, 
134 


delta time 107, 109 


demonstration 
IBM-compatible PC xv 


filter 35, 42, 44 

generated frame 86 

generic 47 

logical call 73 

omitted in two-station 
format 106 

pair count 66 

tabulation during capture 
38 


destination class 
filter 8, 35, 42, 47, 98 
detail view 18, 103, 110 

continuation to following 
frame 125 

CSV format 135 

display 96 

format of higher level 
address 112 

highlight corresponding 
hex view 124, 125 

level initially displayed 112 

position 103 

protocol level 112 

screen vs. printed 133 

search for text 129 

synchronization with 
summary view 19, 112, 
117, 127 

treatment of address 
recognized bits 120 


DG, manufacturer code 167 
diagram of flow of frames 3 


dictionary of station names— 
see name table 


directory 
ARSNIFF 158 
CAPTURE 158, 159, 162 
CONFIG 157 
create new 158 
default 162 
DOS 157 
ENSNIFF 158 
in dialog box to select file 

143 

LTSNIFF 158 
organization 156 
PISNIFF etc 158 
path not in saved setup 145 
path to a different 158 
root 156 
SAMPLES 158 
saved capture files 158 
SLSNIFF 158 
SYSNIFF 158 


display 
automatic scan for station 
addresses 101, 137, 138, 
140, 141 
capture buffer 41 
detail view 96, 103, 112 
effect of name table on 
capture 36 
form of 18 
format 
two-station 106 
hex view 96, 103, 122 
highest-level only 105 
menu 96 
name table 36 
name width 104 
options 97, 126, 128, 130 
options, function key 127 
role of capture buffer 95 
screen vs. printed 133 
search for pattern 9 
search for text 9 
skyline vs. meters during 
capture 15 
start 97 
function key 126 
summary view 96, 103, 104 
two viewports 96 
vs. capture 3 
width of name field 105 
width of time fields 107 
display filter 9, 18 
address level 98 
defective frames 98, 102 
effect on saving frames 143 
failure to work 195 
menu 97 
pattern match 50, 98, 102 
protocol 98, 102 
save frames 143 
saved setup 145 


distance to cable fault 80 


DLC 
address 98 
address format 113 
bit reversal in address on 
PC Network 40 
capture filter 43 
header AC and FC bytes 90 
level in name table 101 
protocol 
6-byte address standards 


address format 164 


i SAP 
Sniffer network analyzer xv TOOLS 157 : 
density TRSNIFF 158 protocol filter 48 
scale 62 xxSNIFF 158 DMA=n, a parameter to 
i : t direct memor 
traffic bar graph 34, 64, 73 disconnect repor y 
traffic display 6, 15 HDLC type 72 access channel 177, 178 
destination address token ring 39 DN, HDLC type 72 
counter 34 disk full 197 


Index 


don’t care character in 
pattern match 51, 52 


DOS 
command via TeleSniffer 
150 
directory 157 
environment variables 157, 
196 
vs. AUTOEXEC.BAT 174 
vs. startup parameters 
174 
path 157 


Dove, manufacturer code 167 


down arrow— see cursor 
down 


DRP 
address format 113 
protocol 
address format 113 


DSR 
external trigger 57, 58 
synchronous line status 
indicator 64, 72 


DTE 
count during capture 38, 
71,72 
filter 35, 42 
frame count 62 
tabulation in skyline 73 


DTR 
external trigger 58 
synchronous line status 
indicator 64, 72 


dual viewports 103 
duplicate name 140 


E=nnn-nnn, startup 
parameter to exclude 
memory allocation 176 


EBCDIC 
hex view 122, 123 
search for text 129 
transliteration in hex view 
122 
edit 
name table 36, 137, 138, 140 
single name for multiple 
ARCNET addresses 165 
startup parameters 173 


EGA external monitor 122 


EN, network abbreviation in 
file name 155 


ENC, extension for file of 
captured frames 155, 159 

encoding, 
WAN/Synchronous 
option 40, 194 


Encore, manufacturer code 
167 


end of file, trace file record 
168, 171 


End, cursor key 127 


END, extension for file of 
station names 141, 155 


ENI, extension for file of 
manufacturer IDs 155, 166 


ENQ, protocol filter 49 


ENS, extension for file of 
setup specifications 144, 
155, 161 


ENSNIFF, directory 158 


environment variables 196 
startup parameters 174 


EOF, trace file record 168, 171 


error 
filter for defective frame 36, 
56 
fragment 56 
overlapping categories 56 
Sniffer software 197 


error status, field in trace file 
171 


Ethernet 
cable test 38 
DB-15 connector 192 
highspeed capture 15 
minimum frame size 56 
monitoring 3 
multicast address 47 
network code in trace file 
170 
network interface card 178 
propagation speed 80 
transceiver 192 
trigger example 61 
Ethertype 89 
example 106, 111 
generated frame 85, 89 
protocol filter 48, 49 


Excelan, manufacturer code 
167 
EXE, file extension for 
executable 154 
executable file, utility to 
generate 11, 181 
extended memory allocation 
parameters 176 
extension, file name 153, 154 
external monitor 121 
additional skylines 74 
failure to show output 193 
startup parameter 175 
external trigger 36, 57, 59 
F1, help xv, 126 
F10 
start capture 38, 127 


stop capture 41 


F2 
ARCNET probe 70 
mark frame 132 
move to next skyline 74 
set mark 126 
toggle active vs. completed 
calls 72 


F3 
display capture buffer 126 
display data 97 


F4, zoom 103, 126 


F5 
return to main menu 126 
scale up skyline 73, 74 


F6 
display options 97, 128, 130 
get display options 127 
scale down skyline 73, 74 
F7 
go to previous frame 127 
scroll up LCN table 72 
view earlier skyline 73 


F8 
go to next frame 127 
scroll down LCN table 72 
view later skyline 73 


F9, pause capture 41 

fault, cable 79 

FAX, Network General 191 
FC byte, DLC header 90 


field 
delimiter in CSV format 
133, 134 
printed report 131 
width of name 105 
file 
capture from 37, 41, 62 
captured frames xvi, 34, 41, 
95, 136, 142, 143, 158 
format 168 
identifying extension 155 
contrast with working 
memory 140 
delete 144 
effect of display filter 97 
extension for manufacturer 
ID 155 
extension for name table 
155 
extension for setup 155 
extension fort captured 
frames 155 
menu option 142 
name for Sniffer analyzer 
software 155 
name table 159 
format 162 


(eer) 


—————w 
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naming conventions 153, 
154, 159, 172 

open (trigger example) 61 

playback of capture 66 

printer output 131, 167 

saved setup 145, 160 


filter 


address 44 
any station 44 
DLC 43 
example 45 
fewer than four matches 
44 
procedure 99 
select station by name 


address level 98 
selected name 100 
alignment error 42 
broadcast 98 
capture 8, 14, 34, 35, 41 
list of types 42 
pattern match 50, 54 
saved setup 145 
count of frames seen 15 
CRC error 42 
defective frames 35, 56, 67, 
98 
destination class 8, 35, 42, 
47, 98 
display 9, 18, 97 
pattern match 50 
saved setup 145 
saving data 143 
failure to work 195 
from DTE or DCE 35 
high-level protocol 34 
introduction 8 
joint effect of several 36, 42, 
44 


pattern match 9, 35, 42, 98, 
102 


protocol 8, 35, 42, 98, 102 
ARCNET network code 
48 
Ethertype 48 
SAP 48 
saved setup 145, 159 
station address 8, 35, 43, 98, 
99 


apparently not working 
195 


time required during 
capture 43 

unknown station 8, 35, 42, 
47 


filtered only, option in saving 
data 143 

FIXEMM.EXE, memory 
manager parameters 174 
flag 

alignment error 108 


CRC error 108 

FLAGS option 107, 108 
fragment 108 

lost frame 108 

mark 108, 109, 126 
reconfiguration 108 
trigger frame 61 


flip DLC address 
PC Network option 40, 114, 
167 


form feed, printed report 136 


format 
file of captured frames 168 
higher level address 112 
name table 162 
printed report 131, 167 
station address 104 
version record in trace file 

170 


fragment 
capture filter 67 
error classification 56 
filter 36, 56, 98, 102 
flag 108 


fragmentation protocol 
OSI layered model 121 


frame 
ARCNET 
length 123 
captured and saved to file 
41, 142, 143 
file format 168 
copied by Sniffer 120 
count 15, 62 
format 66 
units 65 
defective 35, 42, 108 
filter 56, 98 
total seen 63 
diagram of flow in 
analyzer 3 
discarded at new capture 
41 
discarded when buffer full 
34, 36 
display 41 
field in trace file 168 
filter to limit capture 8 
go to number 127, 128 
good (in filter) 36, 56 
jump to mark 127 
jump to trigger 127, 128 
lost 
highspeed capture 65, 66 
total 63 
marked 108 
minimum size 56 
number 107 
range in printed report 131, 
197 


scroll to next or previous 
127 


search pattern 50, 127, 130 

sequence number 92 

size 62 

storage following capture 
34 


synonym for “packet” 5 

timestamp 14 

trigger when detected 36, 
108 


truncated for storage 34 
truncation 37, 62, 63 
validity checks 120 


frame copied, token ring 120 


frame error status, field in 
trace file 171 


frame type, 
WAN/synchronous 
option 40, 194 


frame-relative offset 53, 195 


frames 
menu option 87 
number transmitted 
skyline 73 


frames per second 
capture display 6, 8, 15, 16, 
64, 68, 69, 70, 71, 72, 73, 
74 
generated 90 


frames seen, measure of 
traffic volume 37 


frequency, skyline update 62 
FRNR, HDLC type 72 


from frame n 
range printed 132 


from/to, option 59 


full buffer 
capture 34, 36, 60, 64 


function keys 
display options 127 
display phase 126 
help 126 
menus 126 
new capture 127 
next frame 127 
pause or resume capture 41 
previous frame 127 
set mark 126 
stop or start capture 41 
zoom 126 


functional address 47 
filter 35 


generate traffic 13, 85 
go to frame number 128 


gone, response to ARCNET 
probe 70 


good frame 
filter 36, 56, 102 
total 63 


| | 
ley 


Index 


Gould, manufacturer code 
167 


GRAY, startup parameter 175 
GREY, startup parameter 175 


H-P Intelligent Networks 
Oper, manufacturer code 
167 


H-P, manufacturer code 167 


hard disk directory structure 
156 


hardware, Sniffer analyzer 9 


HDLC 
count by type 72 
count during capture 38 
WAN/synchronous option 
40 


header 
effect of truncating stored 
frame 62 
trace file 169 


heading 
printed report 136 


help 
failure to appear 196 
function key 126 
on-line xv 


HELP, directory 196 


hex view 103, 122 
character translation 122 
CSV format 135 
display 96 
highlight corresponding 

detail view 124, 125 
position 103 


hexadecimal 
color in display 121 
data for pattern match 52 
search for text 129 
station address 45 
view 19 


high level protocol 

frames that span several 

DLC frames 125 

high-order-bit first 

transmission order 114, 167 
higher level address 

display 105 

display format 112 

filter 98 

scan for names 141 


higher level protocol 18 
address formats 112 
interpretation 116 
name table 139 

highest level only 
affect on detail 112 
screen vs. printed 134 
summary view 105 


highlight 
coordination of views 19 
hex corresponding to detail 
interpretation 124, 125 
menu selection 24, 27 
select help topic xv 


highspeed capture 38, 65, 66 

Ethernet option 15 
“highwater” 

traffic density 64 

traffic density bar graph 62 
histogram, traffic density bar 

graph— see skyline 

Home, cursor key 127 
horizontal scrolling 127 


host, Sniffer analyzer run by 
remote controller 150 


HOSTS.xxD, file of names for 
host addresses 162 


I, suffix in extension of 
manufacturer ID file 105, 
155, 159, 166 


I=nnn-nnn, startup 
parameter to include 
memory allocation 176 


IBM 
network interface card 178 
protocol suite example 61 


IBM PC 
remote control of Sniffer 
analyzer 150 
Sniffer demonstration xv 
ID, manufacturer 159, 160 
station address 105, 166 
table of names and codes 
167 
IEEE 
802.2 48, 53, 88, 89 
802.3 89 
standard for transmission 
of DLC address 114, 167 


import name table for station 
addresses 162 


individual count of traffic by 
source 16, 38, 66, 68, 71 
matrix display 66, 69 
Info, HDLC type 72 
initialization 
name table 137, 162 
setup file 145 
installation guide xv 
Intel, manufacturer code 167 
interface card— see network 
interface card 


Intergraph, manufacturer 
code 167 


Interlan, manufacturer code 
167 


internal trigger 
procedure to set 60 


interpretation 
role of capture buffer 95 
search for text 129 


interpreter 
bit level 117 
configuration utility to 
select 10, 181, 182 
customer written 20, 116 
protocol 116 
registration 116 
role of Sniffer analyzer 5 


interpreter suite 
build different 
combinations 183 
maximum number that will 
fit 186 
selection in configuration 
utility 185 
specification sheet xiv 
interrupt, X.25 type 72 


interval 
network utilization 109 
skyline update 62 
traffic generator 87 


intruder— see unknown 
address 


IOBASE=hhhh, startup 
parameter to report I/O 
memory boundary 177, 
178 


IP 
address format 112, 113, 
164 


address level 98 

example 111 

level in name table 101 

protocol filter 49 

protocol number for TCP 
54 


IRQ, table of default and 
alternative values 178 


IRQ=n, startup parameter to 
report interface card’s 
interrupt level 177, 178 


ISO 

frames that span several 
DLC frames 125 

interpretation of ASN.1 118 

interpreter suite in 
configuration utility 
example 183 

spanned frames 63 
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jump 
to frame number 127, 128 
to marked frame 127, 128 
to menu item 143 
to trigger frame 127, 128 
kilobytes 
display of count of traffic 
seen 63 
measure of traffic volume 
37 
per second propagation 80 
units 65 


Kinetix, manufacturer code 
167 


LAN contrasted with wide- 
area 5 


LAN Manager 
token ring functional 
address 13 
layer 
detail view 112 
OSI model colors 121 
protocol 5 


LCD 

display 121 

startup parameter 175 
LCDR, startup parameter 175 


LCN 
active vs. completed calls 
72 
address not determined in 
frame 72 
count during capture 38, 72 
table 72 
length 
ARCNET frame 123 
field in trace file header 169 
frame 107 
generated frame 85 
printed page 136 
level 
address filter 98 
address in summary view 
99 
all vs. highest only 105 


live capture 66 


LLC, transliteration of 
characters in hex view 123 


load 
file of captured frames 95, 
136, 142 
file of saved frames 41 
setup 145, 159, 160 


lobe media test on token ring 
193 


lobe wire fault on token ring 
193 


LocalTalk 
address format 164 
broadcast address 47 
example comparing screen 
and CSV output 135 
low-level protocols 
undisplayed 49 
matrix of traffic by source 
69 
network code in trace file 
170 
network interface card 178 
one-byte address 104 
logarithmic scale 
traffic density bar graphs 
37, 62, 65 
logic, combination of several 
patterns 55 
logical call 72 
name for source or 
destination 73 


logical call number— see 


look for names 138, 141, 160 
LOOP, protocol filter 49 
lost frame 
effect of capture filter 43 
effect of truncation 62 
flag 108 
highspeed capture mode 38 
low-order-bit first 
transmission order 114, 167 


M, marked frame 108 


MAC protocol 
filter 49 
transliteration of characters 
123 


main menu 26, 28 
make directory 158 


manage names 196 
name table 136 


manual 

installation guide xv 

Network and Protocol 
Reference xiv 

organization xiii 

Sniffer Network Monitor 
xiv, 15 

SniffMaster I xiv, 12 

TeleSniffer xiv, 13 


manufacturer ID 
file extension 155 
file format 166 
name in station address 105 
table of names and codes 
105, 159, 160, 167 


mark 
default range of frames 
printed 132 
flag 108, 109 
function key 126 
jump to 127, 128 


match 
fewer than four 44 
name for 43, 50 


Match 1, name for filter 
element 43, 50, 60, 99, 130 


matrix counts by source 
during capture 38, 62, 66, 
69 


MALU, token ring 193 


MAXSTNS=nnn, startup 
parameter 137, 140, 142, 
175 


media access unit 
IBM vs. 3Com units 193 


initially oe indetail [pTi, printer output 132, 196 token ring 193 
view 
. LT, network abbreviation in IMeMOLy: 
acta: address filter 100 file name 155 allocation parameters 176 
oan eeaaoas 64 LIc, papery es for oe . 50 oe eee 174 
Tis gerarates PEP SERES AIGIIES EN need for configuration 
skyline 74 LTD, extension for file of utility 11 
traffic density bar graphs station names 155 report of allocation 61 
37, 62, 65 LTI, extension for file of ia iia 
: 155, 166 ansmitted address 
lines per page 136 manufacturer IDs 155, é i 
eee ie LTS, weensien for file of Sniffer demonstration xv 
: ied : ; : setup specifications 155, menu 
link, eon configuration 161 configuration utility 185, 
ee LTSNIEF, directory 158 186 
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Index 


detail display 96 
display 96 
display filters 97 
function key during 
display 126 
generated by .MNU files 
157 
hex display 96 
jump to item 143 
main 28 
selection 10, 182 
startup parameter to adjust 
scrolling 175 
summary display 96 
MENU.EXE, executable file to 
manage selection menu 
154 


Metaphor, manufacturer code 
167 


meter, traffic density 15 


Microsoft Quick C Compiler 
184 


MIPS, manufacturer code 167 


misaligned frame— see 
alignment error 


MNU, file extension for menu 
file 154, 157, 172, 174 


mode 
external monitor 122 
printer command 196 


model 
Sniffer analyzer xiv 
specification sheet xv 


modem 
eliminator 150 
remote operation 150 


modular board system 10 


modulo 8 or 128, 
WAN/synchronous 
option 40 

monitor 

blank screen 191 
display alternatives during 
capture 65 
during capture vs. without 
capture 33 
external 
additional skylines 74 
color 121 
failure to show output 
193 
LCD 121 
startup parameter 175 
Sniffer Network Monitor 
xiv, 3 
monitoring 
during capture 15 
Sniffer Network Monitor 15 
traffic through a bridge 59 


vs. analysis 3 
vs. capture 15 


mono, startup parameter 175 

moving average of network 
utilization 109 

MS, modular board system 
for Sniffer 10 


multicast destination address 
47 


multiple 
ARCNET stations with 
same name 165 
interface cards in one 
analyzer 9 


name 

display during capture 36 

duplicate 140 

effect of address level filter 
99 

failure to display 196 

field width in display 104, 
105 

file 153 

extension 154 

file of captured frames 159 

generic address 47 

in summary view 104 

LCN call address 72 

manufacturer of interface 
card 105 

match in filter 43, 50, 99 

Sniffer executable file 155, 
172 

source or destination of 
logical call 73 

station in address filter 100 

symbolic equivalent for 
station address 6, 136, 
164 


name table 
add entries 101 
additions during capture 
1 


additions during display 
138 


alphabetization 165 

automatic scan for entries 
101, 137, 138, 140, 141 

blank name limit per 
address level 137 

clear 140 

comment 163 

contrast with saved file 140 

create new 162 

default type 164 

edit 36, 137, 138, 139, 140 

effect of address level 138 

explicit and implicit 
declarations of address 
type 164 

file extension 155 


file format 162 

file organization 159 

higher level scan 141 

HOSTS.xxD 162 

import from file 142 

initialization 137, 142 

look for names 138 

maximum size 137, 140, 142 

new station> 46 

not in saved setup 145 

protocol level 139 

resolve from external file 
138, 141 

save to file 137, 138, 140, 
142, 160 

supplement by external file 
162 

symbolic equivalents for 
addresses 136 

symbolic equivalents found 
in network messages 
138, 141 

symbolic equivalents 
resolved from external 
file 142 

type of address 163 

unknown station 37 

unnamed station lost at 
save 141 

working table vs. saved file 
101, 136, 137 


NBI, manufacturer code 167 


Nestar 
manufacturer code 167 
system code 49 


NetBIOS 
protocol filter 49 
symbolic equivalent 138 
trigger example 61 


NetWare protocol suite 
example 61 


network 

communication link 
between analyzer and 
remote controller 150 

field in trace file 170 

interface card 9 

LAN vs. WAN 5 

live capture 37 

multiple interface cards 9 

probe 70 

reference xiv 

role of Sniffer analyzer 5, 
13 

selection in configuration 
utility 185 

specification sheet xiv, xv 

utilization percentage 37, 
62, 107, 109 


Network Computing Devices, 
manufacturer code 167 
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Network General 
FAX number 191 
manufacturer code 167 
software bug 197 
technical support 191 


network interface card 
description in .CFG file 157 
parameters 178 
startup parameters to 
report settings 177 
unique DLC address 113 
network layer, OSI model 121 
Network Systems Corp, 
manufacturer code 167 


network utilization 109 
appears implausibly low 
196 


moving average 109 

summary view 107, 109 

window in which 
computed 109 


new capture, function key 127 
new directory 158 


new station> 
edit name table 46, 139 


new, response to ARCNET 
probe 70 


next frame, function key 127 
NeXT, manufacturer code 167 


NIC— see network interface 
card 


no frames selected 
message 195 


no signal 

token ring option 39 
non-system disk 

error message 191 


NOP 
startup parameter dummy 
174 


NOSCROLL, startup 
parameter 175 


Novell 
manufacturer code 167 
system code 49 


Novell NetWare 
protocol filter 49 
protocol suite example 61 
symbolic equivalent 138 


NOWATT, startup parameter 
175 


NRZ vs. NRZI encoding 40 
null modem 59 

number pages of report 136 
numeric field, byte order 171 


octal ARCNET station 
address 45, 105, 164 


offset 

compensation for source 
routing information 52 

cut and paste procedure 54 

frame relative vs. data 
relative 53 

hex view 122 

pattern search 52, 125, 130 


on-line help xv 
function key 126 
options 
audible clicks 39 
included in saved setup 
145 
menu heading 34 
saved to file 159 
WAN/synchronous 40 


order 
bits within byte 114, 167 
bytes in numeric field of 
trace file 171 


organization 
directories 156 
manual xiii 
menus 28 


OSI layer 
color coding 121 


output 
printer 132 
printer page titles 136 
screen vs. printed 133 
to file 132 


Pl 
network abbreviation in 
file name 155 
X.400 protocol example 118 


P1D, extension for file of 
station names 141 


P1S, extension for file of 
setup specifications 144, 


PISNIFF etc, directory 158 


PA, self-contained Sniffer 
analyzer 10 


packet 
count by HDLC and X.25 
types 72 
numbering on 
WAN/synchronous 40 
synonym for “frame” 5 
type, WAN/synchronous 
option 40 
page 
form feed to terminate 136 
length 136 
numbers in printed report 
136 


titles 136 


pair count 
capacity of display 67 
capture 16, 38, 67 
example 67 
source and destination 62 
traffic 66 


panel 
active 103 
zoom in active panel 126 


parallel port 132 


parameters— see startup 
parameters 


paste 
offset from display to 
pattern-match entry 54 
pattern from ar ek to 
pattern-match entry 53 


path 
different directory 158 
DOS environment variable 

157 

help files 196 
name files 196 
not in saved setup 145 
startup file 162 


pattern match 49, 59 
binary data 52 
capture filter 9, 50 
character data 52 
cut and paste procedure 53 
display filter 18, 50, 98, 102 
don’t care character 51, 52 
example 54 
failure to work 195 
filter 35, 42 
hexadecimal data 52 
joint effect of several 
patterns 55 
logical combination of 
component patterns 55 
offset 52, 125, 130 
procedure to set 50 
saved setup 145 
search for frame 9, 50, 127, 
130 
trigger 17, 36, 50 
pause, capture 41 
PC 
network abbreviation in 
file name 155 
remote control of Sniffer 
analyzer 150 


PC Network 
bit reversal in DLC address 
114, 167 
bit reversal option 40 
minimum frame size 57 
multicast address 47 
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network code in trace file 
170 
network interface card 178 


PCC, extension for file of 
captured frames 155 


PCD, extension for file of 
station names 141, 155 


PCI, extension for file of 
manufacturer IDs 155, 166 


PCS, extension for file of 
setup specifications 144, 
155, 161 

percentage utilization 62, 109 

appears implausibly low 
196 


measure of traffic density 
37 
summary view 107 


PgDown, cursor key 127 
PgUp, cursor key 127 
physical layer 

OSI model 121 


pin connections 
external trigger 58 


PLASMA, startup parameter 
175 


platform 
Sniffer analyzer xiv 
specification sheet xv 


playback 
capture from file 34, 37, 62, 
66 


capture from trace file 14 
from file of saved frames 41 


plus sign, detail view 125 


PNC, extension for file of 
captured frames 159 


pre-trigger percentage 
stop capture option 60 


preferences 
included in saved setup file 
145, 159, 160 


presentation layer, OSI model 
121 


previous frame 
function key 127 


printer output 

capture buffer 133 

compared with screen 133 

default values for range of 
frames 132 

destination 132 

failure to appear 196 

format 131, 167 

options in saved setup 145 

page size 136 

page titles 136 

report 131, 167 


width of text 111 
printer port 132 


PRN, file extension for 
printer output 154 


PRN, file extension for 
printer report 133 


probe, ARCNET 70 


process (Unix) 
remote control of Sniffer 
analyzer 150 
propagation speed 
cable test 80 


Proteon, manufacturer code 
167 


protocol 
address level 98 
capture filter 8, 35, 48 
display filter 102 
display filter vs. capture 
filter 102 

filter 98, 102 

ARCNET network code 

48 

Ethertype 48 

SAP 48 
high level address 98 
high level filters 34 
higher-level 138 
in summary view with 

highest-level only 105 

interpretation 5 
level in detail view 18, 112 
level in name table 164 
name for address 137 
reference xiv 
screen vs. printed 133 


protocol interpreter 116 
address format 112 
bit level 117 
configuration utility to 

select 10, 182 

customer-created 116 
registration 116 
specification sheet xv 


protocol interpreter suite 
build different 
combinations 183 
configuration utility 181 
maximum number that will 
fit 186 
represented in Sniffer file 
name 155, 172 
selection in configuration 
utility 185 
specification sheet xiv 
Pyramid, manufacturer code 


QC2, directory 157, 184 


Quick C Microsoft compiler 
184 
RAD Network Devices Ltd, 
manufacturer code 167 
RAMBASE=hhhh, startup 
parameter to report start 
of RAM memory 177, 178 
range 
frames in printed report 
131, 197 
real-time display during 
capture 15, 64 
reconfigure 
count of total occasions 63 
flag 108 
reflectometer 79 


registration 
protocol interpreter 116 
REJ, HDLC and X.25 type 72 
REL=nnn, startup parameter 
to reduce memory 
claimed by analyzer 176 
relative time 107, 109 
remote operation 
SniffMaster I 12, 149 
SniffMaster I manual xiv 
startup parameter to adjust 
scrolling 175 
TeleSniffer 12, 149 
report 
content of frames in 
capture buffer 131, 167 
fields included 131 
form feed 136 
range of frames included 
131, 197 
default 132 


reset, X.25 type 72 


resolve names 138, 141, 142, 
160, 162 


restart, X.25 type 72 
Retix, manufacturer code 167 


reverse direction, station 
address filter 45 


RI, source routing 
information field 52 


Ridge, manufacturer code 167 

RNR, HDLC and X.25 type 72 

role on network, Sniffer 13 

root directory 156 

ROWS=nn»1, startup 
parameter 175 

RR, HDLC and X.25 type 72 


RS232, line status indicators 
64, 72 
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RTS 
external trigger 57, 58 
protocol filter 49 
synchronous line status 
indicator 64, 72 


RxC, synchronous line status 
indicator 64, 72 


RxD, synchronous line status 
indicator 64, 72 


S, suffix in extension of setup 
file 144, 155, 159, 161 


SABM, HDLC type 72 
SABME, HDLC type 72 
sample data xvi 
SAMPLES, directory 158 


SAP 
generated frame 85, 89, 90 
identified at DLC level 49 
protocol filter 48 
transliteration of characters 
in hex view 123 


save 
capture buffer 18, 41, 95, 
142, 143, 197 
directory 158 
file format 168 
effect of display filter 97 
name table 137, 138, 140, 
142, 159, 160, 196 
alphabetization 163, 166 
caution 141 
setup 22, 41, 144, 159, 160 
options included 145 


scale 
linear vs. logarithmic 37, 62 
skykline up or down 74 
skyline up or down 73 


SCR, DOS environment 
variable 174 


screen 
blank 191 
size for additional skylines 
74 


vs. printed output 133 


SCRMODE, DOS 
environment variable 174 


scrolling 

display views 110 

horizontal 127 

LCN table 72 

multiple views 127 

skyline display 37 

synchronization of hex and 
detail views 124 

synchronization of 
summary and detail 112 

to next or previous frame 
127 


SDLC 
transliteration of characters 
123 
WAN/synchronous option 
40 


search 
text 128 


search for pattern 127, 130 
captured frames 50 
case sensitive 128 
during display 9 
offset 125 
saved setup 145 


search for text 127, 128, 130 


select station 
dialog box 45, 101 


selection menu 10, 25 
automatic invocation 157 
configuration utility 184 
multiple occurrences of 

same item 11 


sequence number 
generated frame 92 


Sequent, manufacturer code 
167 
serial communications 
WAN Sniffer 5 


serial number 
Sniffer analyzer 197 


serial port 132 
connect remote console 150 
external trigger 59 
remote operation 12 


series, Sniffer analyzer 
models xiv 


service access point— see 
SAP 
session layer, OSI model 121 
set mark, function key 126 
SET, command to set DOS 
environment variables 174 
setup 
automatic at startup 145 
default values 34, 161 
file extension 155 
options saved 145 
saved file 22, 144, 159, 160 
saved vs. current 41 
start with customized 161 
side-by-side 
two viewports 19, 96, 103 
two-station format 106 
signal to or from external 
trigger 36 
SilGrf, manufacturer code 167 


size 
effect of truncating frame 
63 
minumim frame 56 
number of bytes in frame 
109 


printed page 136 

stored frame 62 

truncate captured frame 37 

skyline 

display during capture 15, 
16, 37, 65 

frames seen 73 

from DTE and from DCE 
73 

kilobytes seen 73 

more on larger screen 74 

scale adjustment during 
capture 73, 74 

scrolling 37 

suppressed during 
highspeed capture 65, 
66 


tab to move from one to 
another 74 

traffic density bar graph 34, 
73 


units 65 
update interval 62 
vertical scale linear or 
logarithmic 74 
view earlier or later 73 
which one is active 74 
SL, network abbreviation in 
file name 155 
SLC, extension for file of 
captured frames 155, 159 
SLD, extension for file of 
station names 141, 155 
SLI, extension for file of 
manufacturer IDs 155, 166 
slicing— see frame size or 
truncation 
SLOAD.EXE, file in startup 
procedure 174 


SLS, extension for file of 
setup specifications 144, 
155, 161 

SLSNIFF, directory 158 

SMB, trigger example 61 

SNA 

count during capture 71 

protocol filter 49 

transliteration of characters 
123 

type count during capture 
38 


WAN/synchronous option 
40 
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SNAP, protocol filter 49 
Sniffer 
demonstration package xv 
hardware 9 
help file xv 
interpreter of protocols 5 
Network and Protocol 
Reference xiv 
Network Monitor xiv, 3, 15 
platform xiv 
remote operation 12 
role on network 5, 13 
schematic diagram of flow 


self-contained vs. board 
systems 10 

SniffMaster I manual xiv 

software 9 

TeleSniffer remote 
operations 13 

token ring severed 14 

tutorial xvi 

utility to generate 
executable files 11 

WAN and LAN versions 5 


Sniffer analyzer 

build new executable file 
186 

directory structure 156 

executable file 

name 172 

failure to start 191 

multiple alternate 
executables 182 

name for executable file 
155, 172 

parameters passed at 
startup 172 

serial number 197 

software bug 197 

startup 159 

startup parameters 172 

troubleshooting 191 


SniffMaster I 
manual xiv 
remote operation 149 
size of window 110 
Sun as remote controller 12 
snow in CGA display 
startup parameter 175 
SNSTART.BAT 
editing startup parameters 
174 
passing startup parameters 
172 


set current directory 158 
software, Sniffer analyzer 9 
sort name table 165 


source address 
count 62, 66, 68, 71 
matrix display 66 


filter 35, 42, 44 

individual count 69 

logical call 73 

omitted in two station 
format 106 

tabulation during capture 
38 


source of capture 
network or file 62 


source routing information 
compensation in offset 52 


spanned frame 
detail display 125 
effect of truncation 63 
specification sheet 
network xiv, xv 
protocol interpreter suite 
xiv, Xv 
Sniffer analyzer platform 
xv 


speed 
propagation 80 
selection on token ring 39 


Spider, manufacturer code 
167 


spread sheet 
report for 131, 167 


stand-by monitor 
token ring 13 


StarLAN 

cable 192 

example of report to 
printer 133 

hub 192 

minimum frame size 56 

multicast address 47 

network code in trace file 
170 

network interface card 178 


start capture 38, 67 


STARTUF files 137, 142, 159 
automatic use 161 
initial setup 145 

startup parameters 
editing 173, 174 
position 174 
Sniffer analyzer 172 
specified in MNU files 172 
use of DOS environment 

variables 174 


STARTUP.xxD 
alphabetization of names 
166 
format of name table 162 
name file 196 
station address 136 
additional name table 162 
ARCNET probe for active 
70 


automatic scan captured 
frames 101 

bit reversal on PC Network 
114, 167 

bits in memory vs. bits on 
wire 113 

dialog box to select 45, 101 

display filter procedure 99 

display filter vs. capture 
filter 99 

filter 35, 43, 98 

apparently not working 
195 


example 45 

format 45 

frame relative vs. data 
relative 195 

higher level 139 

IEEE standard for bit order 
114, 167 

inclusion of manufacturer 
ID 166 

level 100 

name table 101, 159, 164 

name table field 163 

one name for multiple 
ARCNET addresses 165 


pair counts 38, 62 
pairs in side-by-side format 
106 


saved setup 145 

source vs. Source-and- 
destination count 38 

spurious 67 

symbolic equivalent 136 

traffic generator 86 

unique in name table 140 

unknown 8, 42 

width of display field 105 


station name 


edit 36, 137, 138, 139, 140 
summary view 104 
width in display 104 


status 


RS232 indicators for line 64 


stop capture 41 


buffer full 36, 60 
position of trigger frame 59 
trigger 36 


summary view 103, 104 


CSV format 135 

display 96 

effect of address level filter 
99 

end key 127 

fragment 108 

highest-level only 105 

home key 127 

interchange between pair 
of stations 106 

names 104 

network utilization 107, 109 


{(Network || 
|General) 


213 


Sniffer Network Analyzer Operations Manual 


position 103 
screen vs. printed 133 
search for text 129 
synchronization with detail 
view 19, 117, 127 
time 
absolute vs. relative 107 
two-station format 106 
other frames 107 
with detail view 112 


Sun 

interpreter suite in 
configuration utility 
example 183 

manufacturer code 167 

remote controller for 
Sniffer 12 

workstation as remote 
controller 150 


SunView 
remote operation of Sniffer 
analyzer 150 
support, technical 191 


SY, network abbreviation in 
file name 155 


SYC, extension for file of 
captured frames 155, 159 

SYD, extension for file of 
station names 141, 155 

SYI, extension for file of 
manufacturer IDs 155, 166 


Symblx, manufacturer code 
167 
symbolic equivalent 
NetBIOS 138 
Novell 138 


symbolic name— see name 


synchronization 
views 19, 117, 127 

synchronous WAN— see 
WAN/synchronous 

SYS, extension for file of 
setup specifications 144, 
155, 161 

SYSNIFF, directory 158 

system code, traffic generator 
89 


Sytek 
manufacturer code 167 
network interface card 178 


T 
suffix in extension of 
frame-type file 155 
trigger frame flag 61, 108 
Tab key 126 
move from one skyline to 
another 74 
move to next panel 127 


TCP 
byte rather than packet- 
oriented 63 
example 111 
IP protocol number 54 
Telnet code 55 


TCP/IP 
interpreter suite in 
configuration utility 183 
pattern match example 54 
technical support 191 
report software error 197 


Tektronix, manufacturer code 
167 


TeleSniffer 
manual xiv, 13 
remote operation 12, 149 
startup parameter to adjust 
scrolling 175 


Telnet 
TCP code 55 


Telnet, pattern match 
example 54 


test, Datapoint system code 
71 


text search 9, 127, 128, 130 
case sensitive 128 
interpretation 129 


text transliteration in hex 
view 122 


“thermometer” 
traffic density 
linear vs. log scale 65 
traffic density bar graph 15, 
64 


units 65 


thin Ethernet 
propagation speed 80 


TI, manufacturer code 167 


time 107 

absolute 109 

delta 109 

example of various 
measures 110 

format in trace file 170, 171 

network utilization 
window size 109 

relative 109 

summary view 108 

unit, field in trace file 170 

unit,field in trace file 171 


time-domain reflectometer 79 


timestamp 
captured frame 14 


title, printed report 136 


to <all stations> 
menu option 86 


- to frame n, range printed 132 


token during traffic 
generation 13 


token ring 
16 vs. 4 Mbps speed 39 
address recognized bits 120 
broken ring 14 
DB-9 connector 193 
disconnect option 39 
fragmented or beaconing 

39 


frame copied 120 

frame relative vs. data 
relative address 195 

functional address 47 

LAN Manager functional 
address 13 

lobe media test 193 

lobe wire fault 193 

location in ring 120 

media access unit 193 

monitor 13 

network code in trace file 
170 

network interface card 178 

reversal of address bits on 
PC Network 114, 167 

temporary disconnect 39 

“trace tool present” 13 

trailer 120 

transliteration of characters 


trigger example 61 


token timer 
menu option 82 
summary view 104 


TOOLS, directory 157, 184 
TOPS, network interface card 


total 
display of count of frames 
seen 63 
units 63, 65 


TR, network abbreviation in 
file name 155 


trace file 
captured frames 41, 142 
delete 144, 197 
end of file record 171 
format 168 
header 169 
identifying extension 155 
load 95 
name 159 
sample xvi 
source of capture 14, 34, 37, 
41, 62, 66 
version record 169 


trace tool present 
token ring message 13 
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traffic 
capture 7 
counters during capture 34, 
37 


density 15 
bar graph 6, 34, 64, 73 
maximum 64 
scale 62 
failure to observe 194 
implausible numbers 195 
lost minimized by 
highspeed capture 38 
measures of volume and 
density 37 
tabulation by source and 
destination 16, 38, 67 
total 63 


traffic generator 13, 85 
collisions 13 
sequence number 92 
token passing 13 


trailer, token ring 120 
training 

Sniffer tutorial xvi 
transceiver 


Ethernet 192 
fault 38 


transliteration 
automatic selection of 
ASCII or EBCDIC 123 
character data 122 
select ASCII or EBCDIC 
123 


transmission order 
bits within byte 114, 167 
variation by network 113 


transport layer, OSI model 
21 


TRC, extension for file of 
captured frames 155, 159 


TRD, extension for file of 
station names 141, 155 


TRI, extension for file of 
manufacturer IDs 155, 166 


trigger 16 
capture of later frames 36 
chime to report 64 
event 17 
example 
ARCNET 61 
Ethernet 61 
token ring 61 
external signal 36, 58 
flag 61, 108 
general description 36 
internal vs. external 57 
jump to 127, 128 
pattern match 17, 36, 50 
position in capture buffer 
36, 59 


procedure to set 36 
external 57 
internal 60 

receive signal from serial 

port 57 

role of detector 17 

saved setup 145 

send signal to serial port 57 

stop capture 41, 60 


TRIGGERED (message) 61 
TRLR, protocol filter 49 


troubleshooting 191 
TeleSniffer to examine 
Sniffer 13 


TRS, extension for file of 
setup specifications 144, 
155, 161 

TRSNIFF, directory 158 


truncation 
capture option 37 
effect 62 
effect on spanned frame 63 
frame 34 
stored frame 62 
TRW, manufacturer code 167 
tutorial, Sniffer xvi 
two viewports 19, 96, 103 
two-station format 19, 106 
choice of stations 106 
display of other frames 107 
example 106 
hints for adjustment 107 
source and destination 106 
summary view 106 


TxC, synchronous line status 
indicator 64, 72 
TxD, synchronous line status 
indicator 64, 72 
TXT, file extension for text 
154 
type of address 139 
TYPEAHEAD, startup 
parameter 175 
U-B 
manufacturer code 167 
protocol filter 49 


UA, HDLC type 72 
UI, in generated frame 91 
unique address 
name table 140 
Unisys, manufacturer code 
167 
units 
capture display 37 
counters,totals, skylines, 
density bar graph 65 


traffic density during 
capture 62 


Univation, manufacturer 
code 167 


Unix process 
remote control of Sniffer 
analyzer 150 


unknown station 
capture filter 35 
defined by name table 37 
filter 8, 42, 47 


up arrow— See cursor up 


upstream neighbor 
token ring 120 

utilization 
capture buffer 64 
implausibly low 196 
measure of traffic density 

37 

summary view 107 


validity checks 120 
VCS, address format 113 


version record, field in trace 
file 170 


version, field in trace file 168, 


VGA external monitor 122 
view 
active 103 
detail 18, 103, 110, 112 
earlier /later (skyline) 73 
hexadecimal 19, 103, 122 
position of summary, 
detail, hex 103 
scrolling 124 
several on screen 112 
summary 19, 103, 104 


viewports, two 103 


VINES, bit-level 
interpretation 117 


VIP, example of bit-level 
interpretation 117 


Visual Technology, 
manufacturer code 167 


Vitalink, manufacturer code 
167 


WAIT, startup parameter 175 


WAN/synchronous 

3-way connector to DTE 
and DCE 193 

capture example 72 

line status display 64 

network code in trace file 
170 

network interface card 178 

options 40 

Sniffer analyzer 5 
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Wellfleet, manufacturer code 
167 


Western Digital, 
manufacturer code 167 


whole frame, capture option 
62 


wide-area network 
vs. LAN 5 

width 
name 104 
time displays 107 


wild card 
character in pattern match 
51, 52 


window 

display 19 

remote control of Sniffer 
analyzer 150 

scrolling 124 

size at external monitor 110 

size set by startup 
parameter 175 

specify size for network 
utilization 109 

zoom in active window 103 


working name table 
contrast with saved file 140 


X Windows 
interpreter suite in 
configuration utility 
example 183 
protocol 
spanned frames 63 


X, don’t care character in 
pattern match 51, 52 
X.25 
count during capture 38, 
71, 72 
LCN 72 
WAN/synchronous option 
40 


X.400 

address level 98 

syntactic vs. semantic 

interpretation 118 

Xerox, manufacturer code 167 
XNS 

address format 113 

address level 98 

level in name table 101 

protocol filter 49 

protocol suite example 61 
xxSNIFF, directory 158 


Xyplex, manufacturer code 
167 


Xyvision, manufacturer code 
167 


ZNet, network code in trace 
file 170 


zoom 
active panel 126 
function key 103, 126 
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